diff --git a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
index 968712a..e238d72 100644
--- a/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
+++ b/doc/puppet_classes/confdroid_ssh_3A_3Aparams.html
@@ -520,6 +520,60 @@
         &mdash;
         <div class='inline'>
 <p>LogLevel setting for sshd_config. Default is ‘INFO’.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_password_authentication</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>PasswordAuthentication setting for sshd_config. Default is ‘no’, which requires key-based authentication. This is a recommended security setting, so passwords do not show up in logs, but can be set to ‘yes’ if password authentication is desired.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_permit_empty_passwords</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>PermitEmptyPasswords setting for sshd_config. Default is ‘no’, which is a recommended security setting and works in connection with key-based authentication, but can be set to ‘yes’ if password authentication should be allowed and empty passwords should be allowed. Again, this should be used with caution if enabled.</p>
+</div>
+      
+    </li>
+  
+    <li>
+      
+        <span class='name'>ssh_kbd_interactive_auth</span>
+      
+      
+        <span class='type'>(<tt>String</tt>)</span>
+      
+      
+        <em class="default">(defaults to: <tt>&#39;no&#39;</tt>)</em>
+      
+      
+        &mdash;
+        <div class='inline'>
+<p>setting for sshd_config. Default is ‘no’, which is a recommended security setting together with password authentication, but can be set to ‘yes’ if keyboard-interactive authentication should be allowed. (not recommended)</p>
 </div>
       
     </li>
@@ -535,19 +589,6 @@
         <pre class="lines">
 
 
-37
-38
-39
-40
-41
-42
-43
-44
-45
-46
-47
-48
-49
 50
 51
 52
@@ -585,10 +626,26 @@
 84
 85
 86
-87</pre>
+87
+88
+89
+90
+91
+92
+93
+94
+95
+96
+97
+98
+99
+100
+101
+102
+103</pre>
       </td>
       <td>
-        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 37</span>
+        <pre class="code"><span class="info file"># File 'manifests/params.pp', line 50</span>
 
 class confdroid_ssh::params (
 
@@ -618,7 +675,10 @@ class confdroid_ssh::params (
   String  $ssh_hostkey_type                 = &#39;rsa&#39;,
   String  $ssh_rekeylimit                   = &#39;default none&#39;,
   String  $ssh_syslog_facility              = &#39;AUTH&#39;,
-  String  $ssh_log_level                    = &#39;INFO&#39;
+  String  $ssh_log_level                    = &#39;INFO&#39;,
+  String  $ssh_password_authentication      = &#39;no&#39;,
+  String  $ssh_permit_empty_passwords       = &#39;no&#39;,
+  String  $ssh_kbd_interactive_auth         = &#39;no&#39;
 
 ) {
 # default facts
diff --git a/manifests/params.pp b/manifests/params.pp
index 60bc548..cf14bc1 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -33,6 +33,19 @@
 #   Default is 'AUTH'.
 # @param [String] ssh_log_level LogLevel setting for sshd_config.
 #   Default is 'INFO'.
+# @param [String] ssh_password_authentication PasswordAuthentication setting 
+#   for sshd_config. Default is 'no', which requires key-based authentication.
+#   This is a recommended security setting, so passwords do not show up in logs, 
+#   but can be set to 'yes' if password authentication is desired.
+# @param [String] ssh_permit_empty_passwords PermitEmptyPasswords setting 
+#   for sshd_config. Default is 'no', which is a recommended security setting 
+#   and works  in connection with key-based authentication, but can be set 
+#   to 'yes' if password authentication should be allowed and empty passwords 
+#   should be allowed. Again, this should be used with caution if enabled.
+# @param [String] ssh_kbd_interactive_auth setting for sshd_config.
+#   Default is 'no', which is a recommended security setting together 
+#   with password authentication, but can be set to 'yes' if 
+#   keyboard-interactive authentication should be allowed. (not recommended)
 ##############################################################################
 class confdroid_ssh::params (
 
@@ -62,7 +75,10 @@ class confdroid_ssh::params (
   String  $ssh_hostkey_type                 = 'rsa',
   String  $ssh_rekeylimit                   = 'default none',
   String  $ssh_syslog_facility              = 'AUTH',
-  String  $ssh_log_level                    = 'INFO'
+  String  $ssh_log_level                    = 'INFO',
+  String  $ssh_password_authentication      = 'no',
+  String  $ssh_permit_empty_passwords       = 'no',
+  String  $ssh_kbd_interactive_auth         = 'no'
 
 ) {
 # default facts
diff --git a/templates/sshd_custom_conf.erb b/templates/sshd_custom_conf.erb
index f6aeb6c..da51d6f 100644
--- a/templates/sshd_custom_conf.erb
+++ b/templates/sshd_custom_conf.erb
@@ -8,11 +8,9 @@
 Port <%= @ssh_fw_port %>
 AddressFamily <%= @ssh_address_family %>
 ListenAddress <%= @ssh_listen_address %> 
-
 <% if @ssh_use_specific_hostkey -%>
 HostKey /etc/ssh/ssh_host_<%= @ssh_hostkey_type %>_key
 <% end -%>
-
 RekeyLimit <%= @ssh_rekeylimit %>
 
 SyslogFacility <%= @ssh_syslog_facility %>
@@ -30,4 +28,7 @@ AuthorizedPrincipalsFile <%= @ssh_authorized_principals_file %>
 AuthorizedKeysCommand <%= @ssh_authorized_keys_command %>
 AuthorizedKeysCommandUser <%= @ssh_authorized_keys_command_user %>
 
-# test
\ No newline at end of file
+PasswordAuthentication <%= @ssh_password_authentication %>
+PermitEmptyPasswords <%= @ssh_permit_empty_passwords %>
+KbdInteractiveAuthentication <%= @ssh_kbd_interactive_auth %>
+
