diff --git a/components/supervisor/pkg/supervisor/ssh.go b/components/supervisor/pkg/supervisor/ssh.go
index 29ee8550ed70a3..b84f99ab54c1cd 100644
--- a/components/supervisor/pkg/supervisor/ssh.go
+++ b/components/supervisor/pkg/supervisor/ssh.go
@@ -104,6 +104,7 @@ func (s *sshServer) handleConn(ctx context.Context, conn net.Conn) {
 	args = append(args,
 		"-ieD", "-f/dev/null",
 		"-oProtocol 2",
+		"-oAllowUsers gitpod",
 		"-oPasswordAuthentication no",
 		"-oChallengeResponseAuthentication no",
 		"-oPermitRootLogin yes",
@@ -158,6 +159,7 @@ func (s *sshServer) handleConn(ctx context.Context, conn net.Conn) {
 
 	log.WithField("args", args).Debug("sshd flags")
 	cmd := exec.CommandContext(ctx, openssh, args...)
+	cmd = runAsGitpodUser(cmd)
 	cmd.Env = s.envvars
 	cmd.ExtraFiles = []*os.File{socketFD}
 	cmd.Stderr = os.Stderr