diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index dc72443e9db63a04871964426a186bf68ef05f53..e6724be3ad742ee91e4d20cb180fc8783076d67b 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -1,12 +1,28 @@
 # Create the sshd configuration.
 
+# listen_addresses: If you want to restrict the ssh service to listen only at
+# certain addresses, specify with this parameter. Enter them as a
+# comma-delimited list.
+#
+# Examples:
+# listen_addresses => '192.168.1.1,192.168.2.1'
+# listen_addresses => '192.168.1.1:22,192.168.2.1'
+#
+# See the sshd_config man page for what constitutes valid entries.
+#
+# If list_addresses is omitted, then the ListenAddress directive will be
+# omitted from the sshd configuration file (which is equivalent to having
+# sshd listen at _all_ addresses).
+
+
 define base::ssh::config::sshd(
-  $ensure    = 'present',
-  $gitolite  = false,
-  $hostbased = false,
-  $pubkey    = false,
-  $source    = undef,
-  $max_tries = 5,
+  $ensure           = 'present',
+  $gitolite         = false,
+  $hostbased        = false,
+  $pubkey           = false,
+  $source           = undef,
+  $max_tries        = 5,
+  $listen_addresses = 'all',
 ) {
   if $source {
     $template = undef
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 27cce33e7c506fb4d64d9a261f85626285e20ce4..a1cdde13281d0695ed99466802b5989b3c8b86e1 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -79,3 +79,14 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 Match User gitolite
     ForceCommand /usr/share/gitolite/gitolite-wrapper
 <% end -%>
+<%
+  if (listen_addresses != 'all')
+    # Split the addresses at the commas.
+    addresses = listen_addresses.split(',')
+    addresses.each |address| do
+-%>
+ListenAddress <%= address %>
+<%
+    end
+  end
+-%>