diff --git a/data/hostname/tate.softwareheritage.org.yaml b/data/hostname/tate.softwareheritage.org.yaml
index 5c95a08a..77cc105d 100644
--- a/data/hostname/tate.softwareheritage.org.yaml
+++ b/data/hostname/tate.softwareheritage.org.yaml
@@ -1,50 +1,51 @@
 smtp::virtual_aliases:
   - destination: "@%{hiera('phabricator::vhost::name')}"
     alias: "%{hiera('phabricator::user')}"
 smtp::mail_aliases:
   - user: "%{hiera('phabricator::user')}"
     aliases:
       - "| %{hiera('phabricator::basepath')}/phabricator/scripts/mail/mail_handler.php"
 
 ssh::port: 2222
 
 networks:
   eth0:
     address: 128.93.166.12
     netmask: 26
     gateway: 128.93.166.62
   eth1:
     type: private
     address: 192.168.100.30
     netmask: 255.255.255.0
     gateway: 192.168.100.1
 
 apache::rewrite_domains:
   # Must have matching certificates in letsencrypt::certificates
   wg.softwareheritage.org:
     rewrites:
       - "^.*$ https://wiki.softwareheritage.org/index.php?title=Working_groups"
   git.softwareheritage.org:
     rewrites:
       - "^.*$ https://forge.softwareheritage.org/"
 
 
 backups::exclude:
   - /var/lib/mysql
 
 users:
   frankduncan:
     uid: 3000
     full_name: Frank Duncan (Open Tech Strategies)
     shell: /bin/bash
     authorized_keys:
       frankduncan@opentechstrategies.com:
         type: ssh-rsa
         key: AAAAB3NzaC1yc2EAAAABIwAAAQEAwby3zUC+1wufiWRtgU/ayka9g+L66d/gLCr2jHnKsdJILwYft77YIVPmGAIlcpQAagpPmjhZa5+9hUYsJwWSHX9d7z1I0+qUXRIyykc1MUtEqgNyIJjq+90vKkolXmoB7MjvzDGHksYZ7PfbZGjtHqDcdWWj6GpQLjOdLDaupEPgdBMXOLChxW3Hq8kuRpWKRxFkxm2PZTAPtUz2Z49IpCra/vXK00V7nDWYF8tkltgKFr6icYE7SEqA88POMQl5FdTIyQoh7zEm1VgaWbgyjybi6QWQtmX5KMhXMfbo2nnE03VJDFSXSHOhI8UUxigzEv6T3PX0JFJMnbflOUX6Cw==
     groups:
       - www-data
       - "%{lookup('phabricator::group')}"
 
 phabricator::mysql::readonly_usernames:
   - olasd
   - frankduncan
+  - ardumont
diff --git a/site-modules/profile/templates/phabricator/sshd_config.phabricator.erb b/site-modules/profile/templates/phabricator/sshd_config.phabricator.erb
index c62da223..6e88ce09 100644
--- a/site-modules/profile/templates/phabricator/sshd_config.phabricator.erb
+++ b/site-modules/profile/templates/phabricator/sshd_config.phabricator.erb
@@ -1,20 +1,22 @@
 AllowUsers <%= @vcs_user %> <%= @db_ro_users.join(' ') %>
 
 # You may need to tweak these options, but mostly they just turn off everything
 # dangerous.
 
 Port 22
 Protocol 2
 PermitRootLogin no
 PrintMotd no
 PrintLastLog no
 PasswordAuthentication no
 AllowAgentForwarding no
 
+Subsystem sftp /usr/lib/openssh/sftp-server
+
 PidFile /var/run/sshd-phabricator.pid
 
 Match User <%= @vcs_user %>
   AuthorizedKeysFile none
   AuthorizedKeysCommand <%= @ssh_hook %>
   AuthorizedKeysCommandUser <%= @vcs_user %>
   AllowTcpForwarding no