diff --git a/lib/src/install/osconfig.rs b/lib/src/install/osconfig.rs
index 3083c8ec..77c9bf50 100644
--- a/lib/src/install/osconfig.rs
+++ b/lib/src/install/osconfig.rs
@@ -18,7 +18,8 @@ pub(crate) fn inject_root_ssh_authorized_keys(
     // While not documented right now, this one looks like it does not newline wrap
     let b64_encoded = ostree_ext::glib::base64_encode(contents.as_bytes());
     // See the example in https://systemd.io/CREDENTIALS/
-    let tmpfiles_content = format!("f~ /root/.ssh/authorized_keys 600 root root - {b64_encoded}\n");
+    let tmpfiles_content =
+        format!("f~ /var/roothome/.ssh/authorized_keys 600 root root - {b64_encoded}\n");
 
     crate::lsm::ensure_dir_labeled(root, ETC_TMPFILES, None, 0o755.into(), sepolicy)?;
     let tmpfiles_dir = root.open_dir(ETC_TMPFILES)?;
@@ -45,7 +46,7 @@ fn test_inject_root_ssh() -> Result<()> {
     let content = root.read_to_string(format!("etc/tmpfiles.d/{ROOT_SSH_TMPFILE}"))?;
     assert_eq!(
         content,
-        "f~ /root/.ssh/authorized_keys 600 root root - c3NoLWVkMjU1MTkgQUJDREUgZXhhbXBsZUBkZW1vCg==\n"
+        "f~ /var/roothome/.ssh/authorized_keys 600 root root - c3NoLWVkMjU1MTkgQUJDREUgZXhhbXBsZUBkZW1vCg==\n"
     );
     Ok(())
 }