diff --git a/install_files/ansible-base/roles/restrict-direct-access/defaults/main.yml b/install_files/ansible-base/roles/restrict-direct-access/defaults/main.yml
index 49ef6e62f85..73d3c8917b3 100644
--- a/install_files/ansible-base/roles/restrict-direct-access/defaults/main.yml
+++ b/install_files/ansible-base/roles/restrict-direct-access/defaults/main.yml
@@ -21,6 +21,11 @@ admin_net_int:
     cmd: "/sbin/route -n get "
     rgx: "(?<=interface: )\\w+"
 
+# Whether to fetch back client-auth settings from the remote hosts.
+# We make this conditional to support disabling during dynamic role includes,
+# required for the ssh-over-lan strategy.
+fetch_tor_client_auth_configs: true
+
 # v2 Tor onion services are on / v3 Tor onion services are off by default for backwards
 # compatibility. Note that new install after 1.0 will have v3 enabled by sdconfig which
 # will override these variables.
diff --git a/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml b/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
index 1127edf4b34..2be2d68ca2f 100644
--- a/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
+++ b/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
@@ -1,5 +1,6 @@
 ---
 - include: fetch_tor_config.yml
+  when: fetch_tor_client_auth_configs
 
 - include: dh_moduli.yml
 
diff --git a/install_files/ansible-base/securedrop-prod.yml b/install_files/ansible-base/securedrop-prod.yml
index 6526173f94c..87b8421912e 100755
--- a/install_files/ansible-base/securedrop-prod.yml
+++ b/install_files/ansible-base/securedrop-prod.yml
@@ -37,6 +37,9 @@
     - name: Include restrict role early when using ssh over localnet
       include_role:
         name: restrict-direct-access
+      vars:
+        # Don't wait for tor client auth, might not exist yet
+        fetch_tor_client_auth_configs: false
       when:
         - not enable_ssh_over_tor
         - sd_dir_check.stat.exists