diff --git a/ceph.spec.in b/ceph.spec.in
index 9584d68f33d..dd771a04be3 100644
--- a/ceph.spec.in
+++ b/ceph.spec.in
@@ -1345,6 +1345,7 @@ install -m 0644 -D udev/50-rbd.rules %{buildroot}%{_udevrulesdir}/50-rbd.rules
 
 # sudoers.d
 install -m 0600 -D sudoers.d/ceph-osd-smartctl %{buildroot}%{_sysconfdir}/sudoers.d/ceph-osd-smartctl
+install -m 0600 -D sudoers.d/cephdaemon %{buildroot}%{_sysconfdir}/sudoers.d/cephdaemon
 
 %if 0%{?rhel} >= 8
 pathfix.py -pni "%{__python3} %{py3_shbang_opts}" %{buildroot}%{_bindir}/*
@@ -1492,8 +1493,31 @@ if [ $1 -ge 1 ] ; then
   fi
 fi
 
+%pre daemon
+# create user
+if ! getent passwd | grep -q '^cephdaemon:'; then
+   useradd -r -s /bin/bash -c "Ceph-daemon user for mgr/ssh" -m cephdaemon
+fi
+# set up (initially empty) .ssh/authorized_keys file
+if ! test -d /home/cephdaemon/.ssh; then
+   mkdir /home/cephdaemon/.ssh
+   chown --reference /home/cephdaemon /home/cephdaemon/.ssh
+   chmod 0700 /home/cephdaemon/.ssh
+fi
+if ! test -e /home/cephdaemon/.ssh/authorized_keys; then
+   touch /home/cephdaemon/.ssh/authorized_keys
+   chown --reference /home/cephdaemon /home/cephdaemon/.ssh/authorized_keys
+   chmod 0600 /home/cephdaemon/.ssh/authorized_keys
+fi
+exit 0
+
+%postun daemon
+userdel -r cephdaemon || true
+exit 0
+
 %files daemon
 %{_sbindir}/ceph-daemon
+%{_sysconfdir}/sudoers.d/cephdaemon
 
 %files common
 %dir %{_docdir}/ceph
diff --git a/debian/ceph-daemon.install b/debian/ceph-daemon.install
index 44c91cb603c..014e78e1d6a 100644
--- a/debian/ceph-daemon.install
+++ b/debian/ceph-daemon.install
@@ -1 +1,2 @@
 usr/sbin/ceph-daemon
+etc/sudoers.d/cephdaemon
diff --git a/debian/ceph-daemon.postinst b/debian/ceph-daemon.postinst
new file mode 100644
index 00000000000..d0e05652979
--- /dev/null
+++ b/debian/ceph-daemon.postinst
@@ -0,0 +1,67 @@
+#!/bin/sh
+# vim: set noet ts=8:
+# postinst script for ceph-daemon
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#
+# 	postinst configure <most-recently-configured-version>
+# 	old-postinst abort-upgrade <new-version>
+# 	conflictor's-postinst abort-remove in-favour <package> <new-version>
+# 	postinst abort-remove
+# 	deconfigured's-postinst abort-deconfigure in-favour <failed-install-package> <version> [<removing conflicting-package> <version>]
+#
+
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    configure)
+       # create cephdaemon user
+       # 1. create user if not existing
+       if ! getent passwd | grep -q "^cephdaemon:"; then
+         echo -n "Adding system user cephdaemon.."
+         adduser --quiet --system --disabled-password --gecos 'Ceph-dameon user for mgr/ssh' --shell /bin/bash cephdaemon 2>/dev/null || true
+         echo "..done"
+       fi
+
+       # 2. make sure user is unlocked
+       if [ -f /etc/shadow ]; then
+           usermod -U -e '' cephdaemon
+       else
+           usermod -U cephdaemon
+       fi
+
+       # set up (initially empty) .ssh/authorized_keys file
+       if ! test -d /home/cephdaemon/.ssh; then
+	   mkdir /home/cephdaemon/.ssh
+	   chown --reference /home/cephdaemon /home/cephdaemon/.ssh
+	   chmod 0700 /home/cephdaemon/.ssh
+       fi
+       if ! test -e /home/cephdaemon/.ssh/authorized_keys; then
+	   touch /home/cephdaemon/.ssh/authorized_keys
+	   chown --reference /home/cephdaemon /home/cephdaemon/.ssh/authorized_keys
+	   chmod 0600 /home/cephdaemon/.ssh/authorized_keys
+       fi
+
+    ;;
+    abort-upgrade|abort-remove|abort-deconfigure)
+	:
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/ceph-daemon.postrm b/debian/ceph-daemon.postrm
new file mode 100644
index 00000000000..564ffefb6a8
--- /dev/null
+++ b/debian/ceph-daemon.postrm
@@ -0,0 +1,44 @@
+#!/bin/sh
+# postrm script for ceph-daemon
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <overwriter>
+#          <overwriter-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    remove)
+	deluser --remove-home cephdaemon
+    ;;
+
+    purge)
+    ;;
+
+    upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/rules b/debian/rules
index bf079dabbee..be3959c5313 100755
--- a/debian/rules
+++ b/debian/rules
@@ -60,6 +60,7 @@ override_dh_auto_install:
 	install -D -m 644 src/etc-rbdmap $(DESTDIR)/etc/ceph/rbdmap
 	install -D -m 644 etc/sysctl/90-ceph-osd.conf $(DESTDIR)/etc/sysctl.d/30-ceph-osd.conf
 	install -D -m 600 sudoers.d/ceph-osd-smartctl $(DESTDIR)/etc/sudoers.d/ceph-osd-smartctl
+	install -D -m 600 sudoers.d/cephdaemon $(DESTDIR)/etc/sudoers.d/cephdaemon
 
 	install -m 755 src/ceph-daemon/ceph-daemon $(DESTDIR)/usr/sbin/ceph-daemon
 
diff --git a/sudoers.d/cephdaemon b/sudoers.d/cephdaemon
new file mode 100644
index 00000000000..cac61b281a1
--- /dev/null
+++ b/sudoers.d/cephdaemon
@@ -0,0 +1,7 @@
+# allow cephdaemon user to sudo ceph-daemon
+cephdaemon ALL=NOPASSWD: /usr/bin/ceph-daemon --image * ls
+cephdaemon ALL=NOPASSWD: /usr/bin/ceph-daemon --image * unit *
+cephdaemon ALL=NOPASSWD: /usr/bin/ceph-daemon --image * shell *
+cephdaemon ALL=NOPASSWD: /usr/bin/ceph-daemon --image * deploy *
+cephdaemon ALL=NOPASSWD: /usr/bin/ceph-daemon --image * ceph-volume *
+cephdaemon ALL=NOPASSWD: /usr/bin/ceph-daemon --image * rm-daemon *