diff --git a/README.md b/README.md
index 3da375e..548b5dd 100644
--- a/README.md
+++ b/README.md
@@ -150,6 +150,28 @@ in ssh_config.
 
 - *Default*: undef
 
+ssh_hostbasedauthentication
+-------------------------
+String for HostbasedAuthentication option in ssh_config. Valid values are 'yes' and 'no'.
+
+- *Default*: undef
+
+
+ssh_strict_host_key_checking
+-----------------------------
+*string* For StrictHostKeyChecking setting in ssh_config. Valid values are
+'yes', 'no' or ask.
+
+- *Default*: ask
+
+ssh_enable_ssh_keysign
+-----------------------------
+*string* For EnableSSHKeysign setting in ssh_config. Valid values are
+'yes' and 'no' or to leave undef which will ensure the setting is not present
+in ssh_config.
+
+- *Default*: undef
+
 sshd_addressfamily
 ----------------
 Specifies the value of the AddressFamily setting in sshd_config. Valid values are 'any', 'inet' (IPv4 only), 'inet6' (IPv6 only) and undef. A value of undef will ensure that AddressFamily is not in the configuration.
diff --git a/manifests/init.pp b/manifests/init.pp
index 5c71ea5..7560ea2 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -20,6 +20,8 @@ class ssh (
   $ssh_config_forward_agent            = undef,
   $ssh_config_server_alive_interval    = undef,
   $ssh_config_sendenv_xmodifiers       = false,
+  $ssh_hostbasedauthentication         = undef,
+  $ssh_strict_host_key_checking        = undef,
   $ssh_config_ciphers                  = undef,
   $ssh_config_macs                     = undef,
   $ssh_config_use_roaming              = 'USE_DEFAULTS',
@@ -45,6 +47,7 @@ class ssh (
   $sshd_config_banner                  = 'none',
   $sshd_config_ciphers                 = undef,
   $sshd_config_macs                    = undef,
+  $ssh_enable_ssh_keysign              = undef,
   $sshd_config_allowgroups             = [],
   $sshd_config_allowusers              = [],
   $sshd_config_denygroups              = [],
@@ -488,6 +491,14 @@ class ssh (
     validate_re($sshd_gssapicleanupcredentials_real, '^(yes|no)$', "ssh::sshd_gssapicleanupcredentials may be either 'yes' or 'no' and is set to <${sshd_gssapicleanupcredentials_real}>.")
   }
 
+  if $ssh_strict_host_key_checking != undef {
+    validate_re($ssh_strict_host_key_checking, '^(yes|no|ask)$', "ssh::ssh_ssh_strict_host_key_checking may be 'yes', 'no' or ask and is set to <${ssh_strict_host_key_checking}>.")
+  }
+
+  if $ssh_enable_ssh_keysign != undef {
+    validate_re($ssh_enable_ssh_keysign, '^(yes|no)$', "ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <${ssh_enable_ssh_keysign}>.")
+  }
+
   if $sshd_config_authkey_location != undef {
     validate_string($sshd_config_authkey_location)
   }
@@ -527,6 +538,9 @@ class ssh (
   if $sshd_config_strictmodes != undef {
     validate_re($sshd_config_strictmodes, '^(yes|no)$', "ssh::sshd_config_strictmodes may be either 'yes' or 'no' and is set to <${sshd_config_strictmodes}>.")
   }
+  if $ssh_hostbasedauthentication != undef {
+    validate_re($ssh_hostbasedauthentication, '^(yes|no)$', "ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <${ssh_hostbasedauthentication}>.")
+  }
 
   validate_re($sshd_hostbasedauthentication, '^(yes|no)$', "ssh::sshd_hostbasedauthentication may be either 'yes' or 'no' and is set to <${sshd_hostbasedauthentication}>.")
 
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index 4c8cb58..310a7ea 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -1736,6 +1736,111 @@ describe 'ssh' do
     end
   end
 
+  describe 'with parameter ssh_hostbasedauthentication' do
+    let :facts do
+      default_facts.merge(
+        {
+        }
+      )
+    end
+
+    ['yes','no'].each do |value|
+      context "specified as valid #{value} (as #{value.class})" do
+        let(:params) { { :ssh_hostbasedauthentication => value } }
+
+        it { should contain_file('ssh_config').with_content(/^\s*HostbasedAuthentication #{value}$/) }
+      end
+    end
+
+    ['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
+      context "specified as invalid value #{value} (as #{value.class})" do
+        let(:params) { { :ssh_hostbasedauthentication => value } }
+
+        if value.is_a?(Array)
+          value = value.join
+        elsif value.is_a?(Hash)
+          value = '{ha => sh}'
+        end
+
+        it 'should fail' do
+          expect {
+            should contain_class('ssh')
+          }.to raise_error(Puppet::Error,/ssh::ssh_hostbasedauthentication may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
+        end
+      end
+    end
+  end
+
+  describe 'with parameter ssh_strict_host_key_checking' do
+    let :facts do
+      default_facts.merge(
+        {
+        }
+      )
+    end
+
+    ['yes','no', 'ask'].each do |value|
+      context "specified as valid #{value} (as #{value.class})" do
+        let(:params) { { :ssh_strict_host_key_checking => value } }
+
+        it { should contain_file('ssh_config').with_content(/^\s*StrictHostKeyChecking #{value}$/) }
+      end
+    end
+
+    ['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
+      context "specified as invalid value #{value} (as #{value.class})" do
+        let(:params) { { :ssh_strict_host_key_checking => value } }
+
+        if value.is_a?(Array)
+          value = value.join
+        elsif value.is_a?(Hash)
+          value = '{ha => sh}'
+        end
+
+        it 'should fail' do
+          expect {
+            should contain_class('ssh')
+          }.to raise_error(Puppet::Error,/ssh::ssh_strict_host_key_checking may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
+        end
+      end
+    end
+  end
+
+  describe 'with parameter ssh_enable_ssh_keysign' do
+    let :facts do
+      default_facts.merge(
+        {
+        }
+      )
+    end
+
+    ['yes','no'].each do |value|
+      context "specified as valid #{value} (as #{value.class})" do
+        let(:params) { { :ssh_enable_ssh_keysign => value } }
+
+        it { should contain_file('ssh_config').with_content(/^\s*EnableSSHKeysign #{value}$/) }
+      end
+    end
+
+    ['YES',true,2.42,['array'],a = { 'ha' => 'sh' }].each do |value|
+      context "specified as invalid value #{value} (as #{value.class})" do
+        let(:params) { { :ssh_enable_ssh_keysign => value } }
+
+        if value.is_a?(Array)
+          value = value.join
+        elsif value.is_a?(Hash)
+          value = '{ha => sh}'
+        end
+
+        it 'should fail' do
+          expect {
+            should contain_class('ssh')
+          }.to raise_error(Puppet::Error,/ssh::ssh_enable_ssh_keysign may be either 'yes' or 'no' and is set to <#{Regexp.escape(value.to_s)}>\./)
+        end
+      end
+    end
+  end
+
   describe 'with parameter sshd_gssapiauthentication' do
     let :facts do
       default_facts.merge(
diff --git a/templates/ssh_config.erb b/templates/ssh_config.erb
index f34f435..bc6ece2 100644
--- a/templates/ssh_config.erb
+++ b/templates/ssh_config.erb
@@ -28,11 +28,17 @@
    PasswordAuthentication yes
    PubkeyAuthentication yes
 #   HostbasedAuthentication no
+<% if @ssh_hostbasedauthentication -%>
+   HostbasedAuthentication <%= @ssh_hostbasedauthentication %>
+<% end -%>
 #   BatchMode no
 #   CheckHostIP yes
 #   AddressFamily any
 #   ConnectTimeout 0
 #   StrictHostKeyChecking ask
+<% if @ssh_strict_host_key_checking -%>
+   StrictHostKeyChecking <%= @ssh_strict_host_key_checking %>
+<% end -%>
 #   IdentityFile ~/.ssh/identity
    IdentityFile ~/.ssh/id_rsa
    IdentityFile ~/.ssh/id_dsa
@@ -90,3 +96,7 @@ GSSAPIDelegateCredentials <%= @ssh_gssapidelegatecredentials %>
 <% if @ssh_config_macs -%>
   MACs <%= @ssh_config_macs.join(',') %>
 <% end -%>
+<% if @ssh_enable_ssh_keysign -%>
+#  EnableSSHKeysign no
+   EnableSSHKeysign yes
+<% end -%>