diff --git a/openssh/files/sshd_config b/openssh/files/sshd_config
index 43e2566..f26f29d 100644
--- a/openssh/files/sshd_config
+++ b/openssh/files/sshd_config
@@ -102,4 +102,42 @@
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-#UsePAM yes
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+PrintMotd no # pam does that
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+{% if grains['os_family'] == 'RedHat' %}
+UsePrivilegeSeparation yes              # RedHat/Centos 6.4 and earlier currently ship 5.3 (sandbox introduced in OpenSSH 5.9)
+{% else %}
+UsePrivilegeSeparation sandbox		# Default for new installations.
+{% endif %}
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+Banner /etc/ssh/banner
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	ForceCommand cvs server
diff --git a/openssh/init.sls b/openssh/init.sls
index 9069302..8727ed3 100644
--- a/openssh/init.sls
+++ b/openssh/init.sls
@@ -8,4 +8,43 @@ openssh:
     - name: {{ openssh.service }}
     - require:
       - pkg: {{ openssh.server }}
+      {% if salt['pillar.get']('openssh:provide_dsa_keys', False) %}
+      - file: /etc/ssh/ssh_host_dsa_key
+      - file: /etc/ssh/ssh_host_dsa_key.pub
+      {% endif %}
+      {% if salt['pillar.get']('openssh:provide_rsa_keys', False) %}
+      - file: /etc/ssh/ssh_host_rsa_key
+      - file: /etc/ssh/ssh_host_rsa_key.pub
+      {% endif %}
 
+{% if salt['pillar.get']('openssh:provide_dsa_keys', False) %}
+ssh_host_dsa_key:
+  file.managed:
+    - name: /etc/ssh/ssh_host_dsa_key
+    - contents_pillar: 'openssh:dsa:private_key'
+    - user: root
+    - mode: 600
+
+ssh_host_dsa_key.pub:
+  file.managed:
+    - name: /etc/ssh/ssh_host_dsa_key.pub
+    - contents_pillar: 'openssh:dsa:public_key'
+    - user: root
+    - mode: 600
+{% endif %}
+
+{% if salt['pillar.get']('openssh:provide_rsa_keys', False) %}
+ssh_host_rsa_key:
+  file.managed:
+    - name: /etc/ssh/ssh_host_rsa_key
+    - contents_pillar: 'openssh:rsa:private_key'
+    - user: root
+    - mode: 600
+
+ssh_host_rsa_key.pub:
+  file.managed:
+    - name: /etc/ssh/ssh_host_rsa_key.pub
+    - contents_pillar: 'openssh:rsa:public_key'
+    - user: root
+    - mode: 600
+{% endif %}
diff --git a/pillar.example b/pillar.example
index cf19c18..cd89e7b 100644
--- a/pillar.example
+++ b/pillar.example
@@ -40,4 +40,19 @@ openssh:
         present: False
         enc: ssh-rsa
         comment: obsolete key - removed
-
+  dsa:
+    private_key: |
+      -----BEGIN DSA PRIVATE KEY-----
+      NOT_DEFINED
+      -----END DSA PRIVATE KEY-----
+    public_key: |
+      ssh-dss NOT_DEFINED
+  provide_dsa_keys: False
+  provide_rsa_keys: False
+  rsa:
+    private_key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      NOT_DEFINED
+      -----END RSA PRIVATE KEY-----
+    public_key: |
+      ssh-rsa NOT_DEFINED