diff --git a/files/scripts/confine-ssh.sh b/files/scripts/confine-ssh.sh
new file mode 100644
index 0000000000..07a448fc46
--- /dev/null
+++ b/files/scripts/confine-ssh.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Confine ssh commands
+case "$SSH_ORIGINAL_COMMAND" in
+*\&*)
+echo "Rejected"
+;;
+*\;*)
+echo "Rejected"
+;;
+rsync\ --server\ --sender*)
+$SSH_ORIGINAL_COMMAND
+;;
+*)
+echo "Rejected"
+;;
+esac
diff --git a/tasks/confine_ssh.yml b/tasks/confine_ssh.yml
new file mode 100644
index 0000000000..914d5ad1eb
--- /dev/null
+++ b/tasks/confine_ssh.yml
@@ -0,0 +1,6 @@
+---
+- name: install the confine-ssh script
+  copy: >
+    src={{files}}/scripts/confine-ssh.sh
+    dest=/usr/local/bin/confine-ssh.sh
+    mode=0755