diff --git a/NEWS b/NEWS
index 898a887b043799a7008fabadfe6a9edf5a6acda0..d7b0576ec73235303568e2935dd1236a00791e84 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+release/005.003 (2016-12-16)
+
+    [ssh] Add "@" to a few more variables on sshd_config.erb. [adamhl]
+
 release/005.002 (2016-12-13)
 
     [ssh] Change the class "ssh::pam" to "base::ssh::pam".  This should
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index e965c7f1d3e949dae8601c8e8a66bb6ab078470c..7d862da1a0e406e082ada364e92f374d7f848a48 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -34,7 +34,7 @@ Protocol 2
 # Only support RSA keys, not DSA keys.
 HostKey /etc/ssh/ssh_host_rsa_key
 
-<% if ed25519 then -%>
+<% if @ed25519 then -%>
 # Also support Ed25519 host keys.
 HostKey /etc/ssh/ssh_host_ed25519_key
 
@@ -60,7 +60,7 @@ HostbasedAuthentication <%= @hostbased ? 'yes' : 'no' %>
 
 # Allow password authentication via PAM, but not empty passwords.
 ChallengeResponseAuthentication yes
-PasswordAuthentication <%= password ? 'yes' : 'no' %>
+PasswordAuthentication <%= @password ? 'yes' : 'no' %>
 UsePAM yes
 PermitEmptyPasswords no
 
@@ -68,14 +68,14 @@ PermitEmptyPasswords no
 # to add GSSAPIStoreCredentialsOnRekey yes.
 GSSAPIAuthentication yes
 GSSAPICleanupCredentials yes
-<% if (@osfamily != 'RedHat') or (lsbmajdistrelease.to_i() >= 6) then -%>
+<% if (@osfamily != 'RedHat') or (@lsbmajdistrelease.to_i() >= 6) then -%>
 GSSAPIKeyExchange yes
 GSSAPIStrictAcceptorCheck no
 <% end -%>
 <% if (@operatingsystem == 'Debian') and (@lsbdistcodename != 'lenny') then -%>
 GSSAPIStoreCredentialsOnRekey yes
 <% end -%>
-<% if (@osfamily == 'RedHat') and (lsbmajdistrelease.to_i() >= 6) then -%>
+<% if (@osfamily == 'RedHat') and (@lsbmajdistrelease.to_i() >= 6) then -%>
 GSSAPIStoreCredentialsOnRekey yes
 <% end -%>
 <% if (@operatingsystem == 'Ubuntu') then -%>
@@ -84,7 +84,7 @@ GSSAPIStoreCredentialsOnRekey yes
 <% if (@pam_duo) then -%>
 
 # Require both (GSS-API|PASSWORD) and PAM.
-AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam<% if password then %> password,keyboard-interactive:pam<% end %>
+AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam<% if @password then %> password,keyboard-interactive:pam<% end %>
 KerberosAuthentication yes
 <% end -%>