diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index a9bf157014ea02aee3dce81796f97b5b5a2a668b..dbe2f5168cf8e5b4b0d571816bcf20b0884e9396 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -30,8 +30,10 @@
 define base::ssh::config::sshd(
   $ensure            = 'present',
   $gitolite          = false,
+  $ed25519           = true,
   $hostbased         = false,
   $pubkey            = false,
+  $password          = true,
   $content           = undef,
   $source            = undef,
   $max_tries         = 5,
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index b9cc8c88fc20064a7e7ece8ea32037a264f9e3a3..c0bcaabb8b818153402ec3e73e1bb7f2a8333d99 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -34,6 +34,11 @@ Protocol 2
 # Only support RSA keys, not DSA keys.
 HostKey /etc/ssh/ssh_host_rsa_key
 
+<% if ed25519 then -%>
+# Also support Ed25519 host keys.
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+<% end -%>
 # Increase the login grace period from 120 seconds to 300 seconds (5 minutes).
 LoginGraceTime 300
 
@@ -55,7 +60,7 @@ HostbasedAuthentication <%= hostbased ? 'yes' : 'no' %>
 
 # Allow password authentication via PAM, but not empty passwords.
 ChallengeResponseAuthentication yes
-PasswordAuthentication yes
+PasswordAuthentication <%= password ? 'yes' : 'no' %>
 UsePAM yes
 PermitEmptyPasswords no