diff --git a/roles/ssh/defaults/main.yml b/roles/ssh/defaults/main.yml
new file mode 100644
index 0000000..d0bd61b
--- /dev/null
+++ b/roles/ssh/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+
+sshd_x11_forwarding: false
+sshd_password_auth: false
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
index 23f0e4b..205b6bf 100644
--- a/roles/ssh/tasks/main.yml
+++ b/roles/ssh/tasks/main.yml
@@ -1,28 +1,15 @@
 ---
 
-- name: Disable SSH root login without password
+- name: Ensure sshd config options set correctly
   lineinfile:
     path: /etc/ssh/sshd_config
-    regexp: '^#?PermitRootLogin .*$'
-    line: "PermitRootLogin prohibit-password"
+    regexp: "^#?{{ item.key }} .*$"
+    line: "{{ item.key }} {{ item.value }}"
     state: present
     validate: '/usr/sbin/sshd -t -f %s'
   notify: restart ssh
+  with_dict:
+    PermitRootLogin: 'prohibit-password'
+    PasswordAuthentication: "{{ 'yes' if sshd_password_auth else 'no' }}"
+    X11Forwarding: "{{ 'yes' if sshd_x11_forwarding else 'no' }}"
 
-- name: Disable PasswordAuthentication
-  lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '^#PasswordAuthentication .*$'
-    line: "PasswordAuthentication no"
-    state: present
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: restart ssh
-
-- name: Disable X11 forwarding
-  lineinfile:
-    path: /etc/ssh/sshd_config
-    regexp: '^#?X11Forwarding .*$'
-    line: "X11Forwarding no"
-    state: present
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: restart ssh