diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
index f4dd2f4..0e328a0 100644
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -10,4 +10,8 @@ fail2ban_findtime: 3600
 fail2ban_bantime: 1209600
 fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
 
+# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
+# before re-configuring the SSH daemon to disable passwords.
+ssh_password_authentication: disabled
+
 # vim: set ts=2 sw=2:
diff --git a/roles/common/templates/sshd_config_Debian-11.j2 b/roles/common/templates/sshd_config_Debian-11.j2
index df0aabb..156ce01 100644
--- a/roles/common/templates/sshd_config_Debian-11.j2
+++ b/roles/common/templates/sshd_config_Debian-11.j2
@@ -56,7 +56,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
diff --git a/roles/common/templates/sshd_config_Debian-12.j2 b/roles/common/templates/sshd_config_Debian-12.j2
index 7cd6358..946a302 100644
--- a/roles/common/templates/sshd_config_Debian-12.j2
+++ b/roles/common/templates/sshd_config_Debian-12.j2
@@ -56,8 +56,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
 PasswordAuthentication yes
-PermitEmptyPasswords no
+{% endif %}
+#PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
diff --git a/roles/common/templates/sshd_config_Ubuntu-20.04.j2 b/roles/common/templates/sshd_config_Ubuntu-20.04.j2
index 88aabb4..19aa656 100644
--- a/roles/common/templates/sshd_config_Ubuntu-20.04.j2
+++ b/roles/common/templates/sshd_config_Ubuntu-20.04.j2
@@ -56,7 +56,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
@@ -122,7 +126,6 @@ Subsystem sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
-PasswordAuthentication yes
 
 # Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
 # ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now