diff --git a/common/defaults/main.yml b/common/defaults/main.yml
index 7bf674bb536d070a306c7bdf13bda43cc91ed808..afa7d3a0edd3f4ffc049f3a3fe3a7a4d498d95ec 100644
--- a/common/defaults/main.yml
+++ b/common/defaults/main.yml
@@ -3,3 +3,9 @@
 
 apt_use_updates: yes
 apt_use_backports: yes
+ssh_authorized_keys: "{{ inventory_dir }}/files/keys"
+ssh_mkhomedir: yes
+ssh_strong_crypto: yes
+ssh_gssapi: yes
+ssh_sftp_options: ""
+ssh_allow_groups: []
diff --git a/common/files/pam/mkhomedir b/common/files/pam/mkhomedir
new file mode 100644
index 0000000000000000000000000000000000000000..be7b76507a21d177d25c631c12a542cbc41b9ac0
--- /dev/null
+++ b/common/files/pam/mkhomedir
@@ -0,0 +1,6 @@
+Name: Create home directory during login
+Default: yes
+Priority: 900
+Session-Type: Additional
+Session:
+        required        pam_mkhomedir.so umask=0077 skel=/etc/skel
diff --git a/common/files/pam/sshd b/common/files/pam/sshd
index 6468e83899eacdad5e39d8b5d0dd20592f0b5436..d70b384bd9a388f3e04f25c47316dbf6677e02d5 100644
--- a/common/files/pam/sshd
+++ b/common/files/pam/sshd
@@ -27,9 +27,6 @@ session    optional     pam_keyinit.so force revoke
 # Standard Un*x session setup and teardown.
 @include common-session
 
-# create home dir
-session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022
-
 # Print the message of the day upon successful login.
 # This includes a dynamically generated part from /run/motd.dynamic
 # and a static (admin-editable) part from /etc/motd.
diff --git a/common/handlers/main.yml b/common/handlers/main.yml
index d4c2e73b9a1ddd686eedbbdc2346e924f8e2c32f..eaae134a11216d5b19f6d30c0ef653b74025b8ee 100644
--- a/common/handlers/main.yml
+++ b/common/handlers/main.yml
@@ -21,3 +21,6 @@
 
 - name: update timezone
   command: dpkg-reconfigure --frontend noninteractive tzdata
+
+- name: regenerate pam config
+  shell: DEBIAN_FRONTEND=noninteractive pam-auth-update --force
diff --git a/common/tasks/software.yml b/common/tasks/software.yml
index e2e54a873117c0759f7b8ab690e14511dea5a173..a0c6604e2753780844c1c79c4dc8c0b83ba35b9a 100644
--- a/common/tasks/software.yml
+++ b/common/tasks/software.yml
@@ -36,22 +36,6 @@
 #  tags:
 #    - packages
 
-- name: ensure we got ourselves protected from sleepiness
-  apt: name=molly-guard state=latest
-  tags:
-    - molly
-    - packages
-    - shell
-    - ssh
-
-- name: ensure screen does not interfere with sleepiness
-  copy: src=molly-guard dest=/etc/molly-guard/rc
-  tags:
-    - molly
-    - config
-    - shell
-    - ssh
-
 - name: remove unused packages
   command: apt-get autoremove -y
   tags:
diff --git a/common/tasks/sshd.yml b/common/tasks/sshd.yml
index d1dea608aaf989792a06650c4f48a5c926f30aba..45b7b0a843ab0e927187b02e1de024ac2373e25a 100644
--- a/common/tasks/sshd.yml
+++ b/common/tasks/sshd.yml
@@ -24,7 +24,7 @@
     - ssh
     - config
 
-- name: ensure home dir creation on first login
+- name: ensure standard pam configuration for sshd
   copy:
     src: pam/sshd
     dest: /etc/pam.d/sshd
@@ -37,6 +37,20 @@
     - ssh
     - config
 
+- name: ensure pam creates a home dir if necessary
+  copy:
+    src: pam/mkhomedir
+    dest: /usr/share/pam-configs/mkhomedir
+    owner: root
+    group: root
+    mode: 0644
+  when: "ssh_mkhomedir"
+  notify:
+    - regenerate pam config
+  tags:
+    - pam
+    - config
+
 - name: ensure sshd is running and enabled
   service:
     name: ssh
@@ -65,7 +79,7 @@
     group: root
     mode: 0600
     remote_src: False
-    src: "{{ authorized_keys }}"
+    src: "{{ ssh_authorized_keys }}"
     backup: True
     ignore_hidden: True
     regexp: "([^+]+|[^+]+\\+([^+]+,)*{{ inventory_hostname }}(,[^+]+)*).pub"
@@ -80,3 +94,26 @@
   tags:
     - ssh
     - packages
+
+- name: ensure we got ourselves protected from sleepiness
+  apt:
+    name: molly-guard
+    state: installed
+  tags:
+    - molly
+    - packages
+    - shell
+    - ssh
+
+- name: ensure screen does not interfere with sleepiness
+  copy:
+    src: molly-guard
+    dest: /etc/molly-guard/rc
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - molly
+    - config
+    - shell
+    - ssh
diff --git a/common/templates/sshd_config.j2 b/common/templates/sshd_config.j2
index b6a21640070cabfc3e2dbafa6e981171bd960a3b..0fadada5c25de68f53260cc4684a93b4157e0bd2 100644
--- a/common/templates/sshd_config.j2
+++ b/common/templates/sshd_config.j2
@@ -7,9 +7,11 @@ Port 22
 #ListenAddress ::
 #ListenAddress 0.0.0.0
 Protocol 2
+{% if ssh_strong_crypto %}
 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+{% endif %}
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
@@ -59,7 +61,7 @@ ChallengeResponseAuthentication no
 #KerberosTicketCleanup yes
 
 # GSSAPI options
-#GSSAPIAuthentication no
+GSSAPIAuthentication {{ 'yes' if ssh_gssapi else 'no' }}
 #GSSAPICleanupCredentials yes
 
 X11Forwarding yes
@@ -75,11 +77,7 @@ Banner /etc/issue.net
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 
-{% if sftpoptions is defined %}
-Subsystem sftp /usr/lib/openssh/sftp-server {{ sftpoptions }}
-{% else %}
-Subsystem sftp /usr/lib/openssh/sftp-server
-{% endif %}
+Subsystem sftp /usr/lib/openssh/sftp-server {{ ssh_sftp_options }}
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
@@ -92,6 +90,6 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 
-{% for group in allowedgroups %}
+{% for group in ssh_allow_groups %}
 AllowGroups {{ group }}
 {% endfor %}