diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 78b784fa82bedb432aff095dd46f29e6f388561a..cbf3aa03cee9f53a7df308c80fe3eee2b4476e05 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -16,10 +16,9 @@ ListenAddress <%= address %>
   end
 -%>
 Port 22
+
+# Only support protocol version 2.
 Protocol 2
-<% if operatingsystem == 'RedHat' then -%>
-UsePrivilegeSeparation yes
-<% end -%>
 
 # Only support RSA keys, not DSA keys.
 HostKey /etc/ssh/ssh_host_rsa_key
@@ -30,6 +29,11 @@ LoginGraceTime 300
 # Prevent attackers from running long password guessing attacks.
 MaxAuthTries <%= max_tries %>
 
+<% if operatingsystem == 'RedHat' then -%>
+# Some Red Hat systems are old enough that this has to be explicitly enabled.
+UsePrivilegeSeparation yes
+
+<% end -%>
 # Disable all forms of host-based and public key authentication by default,
 # since we use GSS-API (or passwords).
 IgnoreRhosts yes