diff --git a/systems/hakurei/reisen-ssh.nix b/systems/hakurei/reisen-ssh.nix
index 4366d304..73fbb0e2 100644
--- a/systems/hakurei/reisen-ssh.nix
+++ b/systems/hakurei/reisen-ssh.nix
@@ -4,7 +4,7 @@
   lib,
   ...
 }: let
-  inherit (lib.modules) mkAfter;
+  inherit (lib.modules) mkAfter mkForce;
   sshPort = 41022;
   username = "tf-proxmox";
   sshJump = pkgs.writeShellScript "ssh-jump-${username}" ''
@@ -28,15 +28,14 @@ in {
 
   services.openssh = {
     ports = mkAfter [ sshPort ];
-    settings = {
-      KbdInteractiveAuthentication = true;
-      PasswordAuthentication = true;
-    };
     extraConfig = mkAfter ''
       Match User ${username}
+        KbdInteractiveAuthentication yes
         ForceCommand ${sshJump}
     '';
   };
+  # required for kbd or password authentication
+  security.pam.services.sshd.unixAuth = mkForce true;
 
   networking.firewall.allowedTCPPorts = [ sshPort ];