diff --git a/manifests/init.pp b/manifests/init.pp
index 1e71c6f..6f1c8d1 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,6 +1,9 @@
 # == Class: ssh
 #
-class ssh ($trusted_ssh_source = 'puppetmaster.openstack.org') {
+class ssh (
+    $trusted_ssh_source = 'puppetmaster.openstack.org',
+    $permit_root_login = 'no',
+) {
     include ::ssh::params
     package { $::ssh::params::package_name:
       ensure => present,
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
index 9304fe3..4592a86 100644
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@@ -23,7 +23,7 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 120
-PermitRootLogin no
+PermitRootLogin <%= @permit_root_login %>
 StrictModes yes
 
 RSAAuthentication yes