diff --git a/roles/basessh/templates/sshd_config b/roles/basessh/templates/sshd_config
index 09802c76d8..b54428d3ea 100644
--- a/roles/basessh/templates/sshd_config
+++ b/roles/basessh/templates/sshd_config
@@ -51,8 +51,13 @@ AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 AcceptEnv XMODIFIERS
 
 {% if sshd_keyhelper %}
+{% if inventory_hostname.startswith('pkgs') %}
+AuthorizedKeysCommandUser nobody
+AuthorizedKeysCommand /usr/local/bin/ssh_wrapper "%u"
+{% else %}
 AuthorizedKeysCommandUser git
 AuthorizedKeysCommand /usr/libexec/pagure/keyhelper.py "%u" "%h" "%t" "%f"
+{% endif %}
 {% else %}
 AuthorizedKeysCommandUser nobody
 AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
diff --git a/roles/distgit/files/ssh_wrapper b/roles/distgit/files/ssh_wrapper
new file mode 100644
index 0000000000..dd9f3631a8
--- /dev/null
+++ b/roles/distgit/files/ssh_wrapper
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+/usr/bin/sss_ssh_authorizedkeys $1 | while read -r key
+do
+  echo "command=\"PAGURE_CONFIG=/etc/pagure/pagure_hook.cfg HOME=/srv/git/ /usr/libexec/pagure/aclchecker.py $1\", $key"
+done
+
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index 79889e375c..e848b05337 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -106,6 +106,18 @@
   tags:
   - distgit
 
+# -- SSH
+# We use a wrapper to let packager ssh in while restricting the command they can
+# do, this installs that wrapper (which is otherwise configured in sshd_config)
+
+- name: install the ssh_wrapper wrapper script
+  copy: src=ssh_wrapper dest=/usr/local/bin/ssh_wrapper mode=0755
+  tags:
+    - config
+    - distgit
+    - ssh
+    - basessh
+
 # -- Dist Git --------------------------------------------
 # This is the Git setup itself: group, root directory, scripts,...
 - name: install dist-git