diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index 32e11a26a11a6b8f3084912f6602f61921ae22df..2ca3a5f39c4dd2c6b7dd98ed5c2786e806356372 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -3,6 +3,11 @@
 # system, we lock connections down to campus with iptables by default, and we
 # have a few subclasses that allow things like host keys.
 
+# If you are using AFS, then you can have pam_afs_session placed into the
+# PAM authentication chain.  You should disable this on systems that aren't
+# using OpenAFS.
+# Default: true
+
 # If you want to require Duo on login, set pam_duo to true. This flag will
 # load the appropriate Duo code (via base::duo) and change the sshd_config
 # file so that Duo is required for non-root logins. If you want Duo for
@@ -10,6 +15,7 @@
 # Default: false
 
 class base::ssh(
+  $pam_afs = true,
   $pam_duo = false
 ){
 
@@ -29,6 +35,7 @@ class base::ssh(
 
   # Setup /etc/pam.d/sshd to require Duo on regular logins.
   class { 'ssh::pam':
+    pam_afs => $pam_afs,
     pam_duo => $pam_duo,
   }
 
diff --git a/manifests/ssh/pam.pp b/manifests/ssh/pam.pp
index a74f4888f55d0ddf68b1c5c4b94cff341b74ce71..b9a8dd77ab22978da8dc399a119698344a7e0ff7 100644
--- a/manifests/ssh/pam.pp
+++ b/manifests/ssh/pam.pp
@@ -6,6 +6,7 @@
 # Currently, only Debian is supported when $pam_duo is true.
 
 class ssh::pam (
+  $pam_afs = true,
   $pam_duo = false
 ){
 
diff --git a/templates/ssh/etc/pam.d/sshd.erb b/templates/ssh/etc/pam.d/sshd.erb
index 166eddbb63ac206c5a09a83eae2fbb05e83668a4..5625053d067949c4ae5c958e4fb50ef1a9348f2a 100644
--- a/templates/ssh/etc/pam.d/sshd.erb
+++ b/templates/ssh/etc/pam.d/sshd.erb
@@ -9,12 +9,16 @@
 #    credential), then "jump over" the pam_duo module to step 3. If not,
 #    go to the next module in the stack (2).
 # 2. If the user is _not_ root, require Duo.
+<% if @pam_afs %>
 # 3. Set up the AFS session and then, whether the AFS sesssion setup works
 #    or not, quit the pam stack
+<% end %>
 
 auth    [success=1 default=ignore]  pam_succeed_if.so uid eq 0
 auth    required                    pam_duo.so conf=/etc/security/pam_duo_ssh.conf
+<% if @pam_afs %>
 auth    [success=done default=die]  pam_afs_session.so
+<% end %>
 
 ##############################################################################
 # account