diff --git a/NEWS b/NEWS
index fa8cdaa07381a4c0dd39a96c6bcf3dfd10ca6ba8..a2a10a521d1cd73bb42d81837a36e717b9c6253e 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ unreleased (2017-??-??)
 
     Starting the work to make the code Puppet 4 compatible. [adamhl]
 
+    [ssh] Add $extra_gssapi_only_users parameter to list accounts extra
+    accounts that should skip Duo. [adamhl]
+
 release/005.009 (2017-07-07)
 
     [ntp] Push "tinker-panic 0" to the top of the ntp.conf file to help
diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index a6e9ff6090c118f423f23f8888e447c4968d8d0d..2f289a0451775805d5701970dcc83ed9749f6585 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -49,6 +49,9 @@
 #
 # Default: undef
 
+# $extra_gssapi_only_users: See documentation in base::ssh::config::sshd.
+# Default: []
+
 class base::ssh(
   $pam_afs               = true,
   $pam_duo               = false,
@@ -65,9 +68,10 @@ class base::ssh(
       '192.168.0.0/16',
       '204.63.224.0/21'
     ],
-  $pubkey                = false,
-  $root_authorized_keys  = undef,
-  $filter_sunetids       = [],
+  $pubkey                  = false,
+  $root_authorized_keys    = undef,
+  $filter_sunetids         = [],
+  $extra_gssapi_only_users = [],
 ){
 
   # Install the openssh server package.
@@ -129,10 +133,11 @@ class base::ssh(
 
   # Install sshd (server) configuration file.
   base::ssh::config::sshd { '/etc/ssh/sshd_config':
-    ensure  => present,
-    pam_duo => $pam_duo,
-    pubkey  => $pubkey,
-    notify  => Service['ssh'],
+    ensure                  => present,
+    pam_duo                 => $pam_duo,
+    pubkey                  => $pubkey,
+    extra_gssapi_only_users => $extra_gssapi_only_users,
+    notify                  => Service['ssh'],
   }
 
   if ($root_authorized_keys) {
diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index 3c0cbf1486f5ab0b33971a963556ad6f42d622ac..b1ec28c865f08e215af6c9716a7a9d878ba1e652 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -32,6 +32,22 @@
 # useful for bastion hosts.
 # Default: undef
 
+# $extra_gssapi_only_users: Due to problems with Duo, we skip Duo for users
+# matching these strings: root,root.*,*.root,admin.*,*.admin. These users
+# can ONLY use GSSAPI (no passwords). If you want to skip accounts IN
+# ADDITION to this list, set this parameter to an array of such
+# accounts. For example, if you want to skip Duo authentication for
+#
+#         root
+#         root.*
+#         *.root
+#         admin.*
+#         *.admin
+#         wallet
+#
+# you would set $extra_gssapi_only_users to ['wallet']
+# Default: []
+
 define base::ssh::config::sshd(
   $ensure            = 'present',
   $gitolite          = false,
@@ -47,6 +63,7 @@ define base::ssh::config::sshd(
   $rootloginwithpswd = 'no',
   $pam_duo           = false,
   $max_sessions      = 'NOT DEFINED',
+  $extra_gssapi_only_users = [],
 ) {
   if ($source) {
     $template = undef
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 635a079d3d353d49d4d6793ff3464ce93c3c1bf2..a0fcf0593c19c41035c96a693136cc8cac427a43 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -134,7 +134,12 @@ MaxSessions <%= @max_sessions %>
 
 # Because we are enabling Duo but root logins cannot use Duo (yet),
 # we have to configure the authentications for root separately.
-Match User root,root.*,*.root,admin.*,*.admin
+<%-
+  gssapi_only      = ['root', 'root.*', '*.root', 'admin.*', '*.admin']
+  gssapi_only      = admin_users + @extra_gssapi_only_users
+  gssapi_only_list = admin_users.join(',')
+-%>
+Match User <%= gssapi_only_list %>
   AuthenticationMethods gssapi-with-mic
   MaxSessions 3
 <% end -%>