diff --git a/tests/keycloak.nix b/tests/keycloak.nix
index 4de464d..3313584 100644
--- a/tests/keycloak.nix
+++ b/tests/keycloak.nix
@@ -64,6 +64,7 @@ in {
 
   testScript = ''
     start_all()
+    join_all()
 
     nachtigall.wait_for_unit("system.slice")
     nachtigall.succeed("ping 127.0.0.1 -c 2")
diff --git a/tests/support/global.nix b/tests/support/global.nix
index f5ae1dc..2e68163 100644
--- a/tests/support/global.nix
+++ b/tests/support/global.nix
@@ -12,6 +12,29 @@
     (builtins.readFile ./step/certs/root_ca.crt)
   ];
 
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      PermitRootLogin = lib.mkForce "yes";
+      PermitEmptyPasswords = lib.mkForce "yes";
+      PasswordAuthentication = lib.mkForce true;
+    };
+  };
+
+  security.pam.services.sshd.allowNullPassword = true;
+
+  virtualisation.forwardPorts = let
+    address = (builtins.elemAt config.networking.interfaces.eth0.ipv4.addresses 0).address;
+    lastAddressPart = builtins.elemAt (lib.strings.splitString "." address) 3;
+  in [
+    {
+      from = "host";
+      host.port = 2000 + (lib.strings.toInt lastAddressPart);
+      guest.port = 22;
+    }
+  ];
+
   networking.interfaces.eth0.useDHCP = false;
 
   networking.hosts = {