diff --git a/openssh/config.sls b/openssh/config.sls
index 9fbe895..76a11a1 100644
--- a/openssh/config.sls
+++ b/openssh/config.sls
@@ -36,7 +36,7 @@ ssh_config:
     {%- endif %}
 {% endif %}
 
-{%- for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %}
+{%- for keyType in openssh['host_key_algos'].split(',') %}
 {%-   set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}
 {%-   set keySize = salt['pillar.get']('openssh:generate_' ~ keyType ~ '_size', False) %}
 {%-   if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %}
diff --git a/openssh/defaults.yaml b/openssh/defaults.yaml
index f26d784..4652da6 100644
--- a/openssh/defaults.yaml
+++ b/openssh/defaults.yaml
@@ -19,6 +19,10 @@ openssh:
   dig_pkg: dnsutils
   ssh_moduli: /etc/ssh/moduli
   root_group: root
+  # Prevent merge of array; always override values
+  host_key_algos: ecdsa,ed25519,rsa
+  # To manage/remove DSA:
+  #host_key_algos: dsa,ecdsa,ed25519,rsa
 
 sshd_config: {}
 ssh_config: {}