diff --git a/roles/bootstrap/tasks/configure_ssh@linux.yml b/roles/bootstrap/tasks/configure_ssh@linux.yml
index 4373faf..4e07422 100644
--- a/roles/bootstrap/tasks/configure_ssh@linux.yml
+++ b/roles/bootstrap/tasks/configure_ssh@linux.yml
@@ -1,6 +1,24 @@
 #SPDX-License-Identifier: MIT-0
 ---
 # tasks file for bootstrap
+- name: Create directory for MOTD update scripts
+  ansible.builtin.file:
+    force: true
+    group: root
+    owner: root
+    path: /etc/update-motd.d
+    state: directory
+- name: Create MOTD update scripts
+  ansible.builtin.copy:
+    force: true
+    backup: true
+    group: root
+    mode: "0744"
+    owner: root
+    dest: "/etc/update-motd.d/{{ item }}"
+    src: "update-motd.d/{{ item }}"
+    state: present
+  loop: "{{ hostvars[inventory_hostname].vps_service.ssh_motd_script_basenames }}"
 - name: Create hidden SSH directories under users' home directories
   when: hostvars[inventory_hostname].groups.remote.group_name in item.value.groups
   ansible.builtin.file:
@@ -17,7 +35,7 @@
   when: hostvars[inventory_hostname].groups.remote.group_name in item.value.groups and item.value.ssh_authorized_keys is not None and len(item.value.ssh_authorized_keys) > 0
   ansible.builtin.copy:
     backup: true
-    content: "{{ item.value.ssh_authorized_keys.join('\n') }}"
+    content: "{{ '\n'.join(item.value.ssh_authorized_keys) }}"
     dest: "{{ item.value.home | default('/home/' ~ item.value.username) }}/.ssh/authorized_keys"
     # follow: true
     force: true
@@ -29,21 +47,29 @@
     - ensure_files
 - name: Harden SSH security
   block:
+    - name: Create public subdirectory for SSH's SFTP-exclusive user's chroot
+      when: "'sftp' in item.value.services"
+      ansible.builtin.file:
+        group: "{{ item.value.group | default(item.value.username) }}"
+        owner: "{{ item.value.username }}"
+        path: "{{ item.value.home | default('/home/' ~ item.value.username) }}/public"
+        state: directory
+      loop: "{{ lookup('ansible.builtin.dict', hostvars[inventory_hostname].users) }}"
     - name: Set users in group ftp to only be usable with SSH's SFTP service 
       when: "'sftp' in item.value.services"
       ansible.builtin.blockinfile:
         backup: true
-        block: |
+        block: |2
+          Match User {{ item.value.username }}
+              ForceCommand internal-sftp -d /public
+              AuthorizedKeysFile {{ item.value.home | default('/home/' ~ item.value.username) }}/.ssh/authorized_keys
+
           Match Group {{ item.value.group | default(item.value.username) }}
               ForceCommand internal-sftp -d /%u
               ChrootDirectory {{ item.value.home | default('/home/' ~ item.value.username) }}
               AllowAgentForwarding no
               AllowTcpForwarding no
               X11Forwarding no
-
-          Match User {{ item.value.username }}
-              ForceCommand internal-sftp -d /public
-              AuthorizedKeysFile {{ item.value.home | default('/home/' ~ item.value.username) }}/.ssh/authorized_keys
         create: true
         group: root
         insertafter: EOF