diff --git a/README.ssh b/README.ssh
new file mode 100644
index 0000000000000000000000000000000000000000..2edf37b849fa4cb4de1ba6ca4319171e65001e57
--- /dev/null
+++ b/README.ssh
@@ -0,0 +1,94 @@
+This README file explains how to use base::ssh.
+
+base::ssh can be used to enable and configure SSH for a system, with or without 
+Duo.
+
+base::ssh is a parameterized class.  If you include or require it without any 
+parametes, here is what happens:
+
+* The appropriate SSH server package is installed.
+* A base::iptables::rule (named "ssh") is installed to allow port 22 
+  connections from a number of subnets.
+* Use the system's default PAM authentication process.
+* A default SSH server config is installed (see below for details).
+* A default SSH client config is installed (see below for details).
+* root's authorized_keys files are deleted, so that nobody can slip in to the 
+  system as root using pubkey authentication.
+* A filter-syslog entry is installed to filter out less-useful SSH log entries.
+
+This class is meant to be subclassed, especially so that you can replace 
+Base::Iptables::Rule['ssh'] with your own 'source' list.  The source list that 
+comes pre-configured is...
+
+* 10.32.0.0/14
+* 10.36.0.0/15
+* 10.39.0.0/16
+* 10.48.0.0/17
+* 171.64.0.0/14
+* 172.16.0.0/12
+* 192.168.0.0/16
+* 204.63.224.0/21
+
+Remember that you may have an upstream firewall that is further restricting 
+access to port 22.
+
+For the SSH server configuration, many things can be customized by overriding 
+various parameters to base::ssh::config::sshd.  Most parameters are booleans or 
+integers.  If you don't customize anything, then the following configuration is 
+made (customizeable parameters are called out):
+
+* Listen on port 22 ('listen_ports' parameter, a comma-separated string).
+* Listen on all addresses ('listen_addresses', a comma-separated string).
+* Disable SSHv1.
+* Only use RSA host keys.
+* Increase the login timeout to 5 minutes.
+* Limit authentication attempts to 5 ('max_tries', an integer).
+* On RHEL-type systems, expicitly enable privilege separation.
+* Disable the old Rhosts and RSA forms of authentication.
+* Disable public-key authentication ('pubkey', a boolean).
+* Disable host-based authentication ('hostbased', boolean).
+* Allow challenge-response authentication, using PAM.
+* Do not allow empty passwords, except for root (meant for use with GSSAPI).
+* Allow GSSAPI authentication.  On new-enough systems, keep the remote Kerberos
+  credentials cache refreshed, if possible.
+* Don't allow password-based root logins ('rootloginwithpswd', boolean).
+* Allow X forwarding, with a display offset of 10.
+* Use TCP keep-alive.
+* Enable sftp.
+
+For the default SSH client configuration, GSSAPI is enabled, and on RHEL 
+6+ GSSAPI key-exchange and GSSAPI DNS trust are enabled.  That's it.
+  
+base::ssh can also be configured to require Duo as a second authentication 
+factor.  To enable this, set the "pam_duo" parameter to true.  When you do 
+that, the following changes are made:
+
+* On Debian wheezy, a backported OpenSSH is installed.
+* In the SSH server configuration, require keyboard-interactive PAM-based 
+  authentication (which triggers Duo) after GSSAPI or password authentication 
+  is complete.
+* Change the PAM configuration to use Duo.
+
+Finally, there are a few other classes that you can use, for some extra 
+functionality:
+
+* If you don't care about failed login attempts, then include 
+  base::ssh::ignore_fail to have login failures removed from your filtered 
+  syslog output.
+
+* If you also are OK with allowing SSH from anywhere, then include 
+  base::ssh::global.
+
+* If you want to allow pubkey-based authentications, then instead of doing the 
+  override yourself you can just include base::ssh::pubkey.  That gets you the 
+  additional benefit of adding successful pubkey authentications to 
+  filter-syslog.
+
+* If you have a system exposed to the Internet, you might want to include 
+  base::ssh::defense, but BE SURE TO TEST IT!  This uses the "recent" iptables 
+  module to start dropping SSH packets from a source if that source has made
+  "limit" connection attempts in the last "secs" seconds.  If this happens, a 
+  message is logged to syslog, and the SSH connection SYN packet is dropped.  
+  "secs" and "limit" are parameters, defaulting to "300" and "3" 
+  (respectively).  Using this class also overrides the SSH server config, 
+  limting the number of authentication attempts to 2 per connection.
diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index ff7ffd7391556d86531556291daf19f3757d6090..32e11a26a11a6b8f3084912f6602f61921ae22df 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -18,8 +18,13 @@ class base::ssh(
     pam_duo => $pam_duo,
   }
 
-  if ($pam_duo) {
-    include base::duo
+  # If we are using Duo, then bring in our Duo config.  We want GECOS off.
+  # This also brings in Duo packages.
+  if $pam_duo {
+    base::duo::config { '/etc/security/pam_duo_ssh.conf':
+      ensure    => present,
+      use_gecos => false,
+    }
   }
 
   # Setup /etc/pam.d/sshd to require Duo on regular logins.
@@ -59,12 +64,16 @@ class base::ssh(
   }
 
   # Install ssh (client) configuration file.
-  base::ssh::config::ssh  { '/etc/ssh/ssh_config':  ensure => present }
+  base::ssh::config::ssh { '/etc/ssh/ssh_config':
+    ensure => present,
+    notify => Service['ssh'],
+  }
 
   # Install sshd (server) configuration file.
   base::ssh::config::sshd { '/etc/ssh/sshd_config':
     ensure  => present,
     pam_duo => $pam_duo,
+    notify  => Service['ssh'],
   }
 
   # Make sure public key authentication to root does not work and clean up
diff --git a/templates/ssh/etc/pam.d/sshd.erb b/templates/ssh/etc/pam.d/sshd.erb
index 8674f6a272a4a10198f088a2acc3bbb6b4c9e8b9..166eddbb63ac206c5a09a83eae2fbb05e83668a4 100644
--- a/templates/ssh/etc/pam.d/sshd.erb
+++ b/templates/ssh/etc/pam.d/sshd.erb
@@ -13,7 +13,7 @@
 #    or not, quit the pam stack
 
 auth    [success=1 default=ignore]  pam_succeed_if.so uid eq 0
-auth    required                    pam_duo.so conf=/etc/security/pam_duo_su.conf
+auth    required                    pam_duo.so conf=/etc/security/pam_duo_ssh.conf
 auth    [success=done default=die]  pam_afs_session.so
 
 ##############################################################################
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 115f2c6c53954974ffe4f1c0e583f4246054804b..b9cc8c88fc20064a7e7ece8ea32037a264f9e3a3 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -120,7 +120,7 @@ Match User gitolite
 
 # Because we are enabling Duo but root logins cannot use Duo (yet),
 # we have to configure the authentications for root separately.
-Match User root
+Match User root,root.*,*.root,admin.*,*.admin
   AuthenticationMethods gssapi-with-mic
   MaxSessions 3
 <% end -%>