diff --git a/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb b/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb
index 9ea5f508..3e0ace87 100644
--- a/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb
+++ b/buildserver/cookbooks/fdroidbuild-general/recipes/default.rb
@@ -118,12 +118,3 @@ else
     command "update-java-alternatives --set java-1.8.0-openjdk-i386"
   end
 end
-
-# Ubuntu trusty 14.04's paramiko does not work with jessie's openssh's default settings
-# https://stackoverflow.com/questions/7286929/paramiko-incompatible-ssh-peer-no-acceptable-kex-algorithm/32691055#32691055
-execute "support-ubuntu-trusty-paramiko" do
-  only_if { node[:settings][:ubuntu_trusty] == 'true' }
-  command "echo Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr >> /etc/ssh/sshd_config"
-  command "echo MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1 >> /etc/ssh/sshd_config"
-  command "echo KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 >> /etc/ssh/sshd_config"
-end
diff --git a/buildserver/provision-ubuntu-trusty-paramiko b/buildserver/provision-ubuntu-trusty-paramiko
new file mode 100644
index 00000000..81a3cd23
--- /dev/null
+++ b/buildserver/provision-ubuntu-trusty-paramiko
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Ubuntu trusty 14.04's paramiko does not work with jessie's openssh's default settings
+# https://stackoverflow.com/questions/7286929/paramiko-incompatible-ssh-peer-no-acceptable-kex-algorithm/32691055#32691055
+
+if ! grep --quiet ^Ciphers /etc/ssh/sshd_config; then
+    echo Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr >> /etc/ssh/sshd_config
+fi
+
+if ! grep --quiet ^MACs /etc/ssh/sshd_config; then
+    echo MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1 >> /etc/ssh/sshd_config
+fi
+
+if ! grep --quiet ^KexAlgorithms /etc/ssh/sshd_config; then
+    echo KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 >> /etc/ssh/sshd_config
+fi
diff --git a/makebuildserver b/makebuildserver
index b4a890f4..b4c900ef 100755
--- a/makebuildserver
+++ b/makebuildserver
@@ -384,7 +384,6 @@ vagrantfile += """
     chef.json = {
       :settings => {
         :debian_mirror => "%s",
-        :ubuntu_trusty => "%s",
         :user => "vagrant"
       }
     }
@@ -399,9 +398,14 @@ vagrantfile += """
   config.vm.provision "file", source: "gradle",
     destination: "/opt/gradle/bin/gradle"
 
+  # let Ubuntu/trusty's paramiko work with the VM instance
+  if `uname -v`.include? "14.04"
+    config.vm.provision "shell", path: "provision-ubuntu-trusty-paramiko"
+  end
+
 end
-""" % (config['debian_mirror'],
-       str('14.04' in os.uname()[3]).lower())
+""" % config['debian_mirror']
+
 
 # Check against the existing Vagrantfile, and if they differ, we need to
 # create a new box: