diff --git a/ssh-server/defaults/main.yml b/ssh-server/defaults/main.yml
index 288625a30568f1c8e2fd5d9219f39d6abbbfb287..90fc1a5aaa49bb7f049355695ea3b4aa7e4db421 100644
--- a/ssh-server/defaults/main.yml
+++ b/ssh-server/defaults/main.yml
@@ -8,3 +8,4 @@ ssh_password_auth: true
 ssh_gssapi: true
 ssh_sftp_options: ""
 ssh_allow_groups: []
+ssh_allow_forwarding: true
diff --git a/ssh-server/templates/sshd_config_stretch.j2 b/ssh-server/templates/sshd_config_stretch.j2
index 67802e9a3e4cd1938f01a9137c3d34042d7fd2b3..2a7a9bc408bf022b3d8563cb5909e35e982fb5b1 100644
--- a/ssh-server/templates/sshd_config_stretch.j2
+++ b/ssh-server/templates/sshd_config_stretch.j2
@@ -56,8 +56,16 @@ PasswordAuthentication {{ 'yes' if ssh_password_auth else 'no' }}
 GSSAPIAuthentication {{ 'yes' if ssh_gssapi else 'no' }}
 #GSSAPICleanupCredentials yes
 
+{% if ssh_allow_forwarding %}
 X11Forwarding yes
 X11DisplayOffset 10
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+{% else %}
+X11Forwarding no
+AllowAgentForwarding no
+AllowTcpForwarding no
+{% endif %}
 PrintMotd no
 PrintLastLog yes
 TCPKeepAlive yes