diff --git a/attributes/default.rb b/attributes/default.rb
index 6e98dad..75826f6 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -66,6 +66,7 @@
 default['ssh']['allow_groups']            = []      # sshd
 default['ssh']['print_motd']              = false   # sshd
 default['ssh']['print_last_log']          = false   # sshd
+default['ssh']['password_authentication'] = false    # sshd
 # set this to nil to let us use the default OpenSSH in case it's not set by the user
 default['ssh']['use_dns']                 = nil     # sshd
 # set this to nil to let us detect the attribute based on the node platform
diff --git a/templates/default/opensshd.conf.erb b/templates/default/opensshd.conf.erb
index 312050e..8194d13 100644
--- a/templates/default/opensshd.conf.erb
+++ b/templates/default/opensshd.conf.erb
@@ -104,7 +104,7 @@ HostbasedAuthentication no
 # Enable PAM to enforce system wide rules
 UsePAM <%= ((@node['ssh']['use_pam']) ? "yes" : "no" ) %>
 # Disable password-based authentication, it can allow for potentially easier brute-force attacks.
-PasswordAuthentication no
+PasswordAuthentication <%= ((@node['ssh']['password_authentication']) ? "yes" : "no" ) %>
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no