diff --git a/NEWS b/NEWS
index 03823f8c920a89b904257482847446d890a037ec..c868bb239b77a469c1fda15de59e0a23835ed811 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+release/005.008 (unreleased)
+
+    [ssh] Add $max_sessions options. [adamhl]
+
 release/005.007 (2017-06-22)
 
     [kerberos] Add option to completely override /etc/krb5.conf using
diff --git a/manifests/ssh/config/sshd.pp b/manifests/ssh/config/sshd.pp
index 2c408d0d28f74be29b8832d168424d5999099965..3c0cbf1486f5ab0b33971a963556ad6f42d622ac 100644
--- a/manifests/ssh/config/sshd.pp
+++ b/manifests/ssh/config/sshd.pp
@@ -26,6 +26,11 @@
 #
 # If $rootloginwithpswd is set to 'no' then we allow root logins using
 # GSSAPI only.
+#
+# $max_sessions: if you want to allow more than the default of 10
+# connections per network connection, set it here. This is particularly
+# useful for bastion hosts.
+# Default: undef
 
 define base::ssh::config::sshd(
   $ensure            = 'present',
@@ -41,6 +46,7 @@ define base::ssh::config::sshd(
   $listen_ports      = '22',
   $rootloginwithpswd = 'no',
   $pam_duo           = false,
+  $max_sessions      = 'NOT DEFINED',
 ) {
   if ($source) {
     $template = undef
diff --git a/templates/ssh/sshd_config.erb b/templates/ssh/sshd_config.erb
index 7d862da1a0e406e082ada364e92f374d7f848a48..7084e3ce1ae3372b99aff031e3fc7f2e596f584b 100644
--- a/templates/ssh/sshd_config.erb
+++ b/templates/ssh/sshd_config.erb
@@ -121,6 +121,15 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 Match User gitolite
     ForceCommand /usr/share/gitolite/gitolite-wrapper
 <% end -%>
+<%- if (@max_sessions != 'NOT DEFINED') then -%>
+
+<%-   if (@max_sessions <= 10) then -%>
+# Allow fewer sessions
+<%-   else -%>
+# Allow more sessions
+<%-   end -%>
+MaxSessions <%= @max_sessions %>
+<%- end -%>
 <% if (@pam_duo) and (@rootloginwithpswd == 'no') then -%>
 
 # Because we are enabling Duo but root logins cannot use Duo (yet),