diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index e3b3464ca7cd57736e00eb28aaa4afe872be11b8..af457f2afd5784eab084555f58af38200cb69ba9 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -20,6 +20,9 @@
 #
 # If you want to require Duo on login, set pam_duo to true (defaults to
 # false).
+#
+# If $rootloginwithpswd is set to 'no' then we allow root logins using
+# GSSAPI only.
 
 define base::ssh::config::sshd(
   $ensure            = 'present',
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index b0f1ad117e4e3f9dd3c631b704a1e01727278db4..27525fde83b43d1e17e500b330d23788b52ece71 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -105,3 +105,11 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 Match User gitolite
     ForceCommand /usr/share/gitolite/gitolite-wrapper
 <% end -%>
+<% if (@pam_duo) and (@rootloginwithpswd == 'no') then -%>
+
+# Because we are enabling Duo but root logins cannot use Duo (yet),
+# we have to configure the authentications for root separately.
+Match User root
+  AuthenticationMethods gssapi-with-mic
+  MaxSessions 3
+<% end -%>