diff --git a/manifests/init.pp b/manifests/init.pp
index 89bfb97..79f4acc 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -61,6 +61,7 @@ class ssh (
   $sshd_banner_mode                    = '0644',
   $sshd_config_xauth_location          = 'USE_DEFAULTS',
   $sshd_config_subsystem_sftp          = 'USE_DEFAULTS',
+  $sshd_kerberos_authentication        = undef,
   $sshd_password_authentication        = 'yes',
   $sshd_allow_tcp_forwarding           = 'yes',
   $sshd_x11_forwarding                 = 'yes',
@@ -414,6 +415,9 @@ class ssh (
     validate_re($ssh_config_hash_known_hosts_real, '^(yes|no)$', "ssh::ssh_config_hash_known_hosts may be either 'yes' or 'no' and is set to <${ssh_config_hash_known_hosts_real}>.")
   }
   validate_re($sshd_config_port, '^\d+$', "ssh::sshd_config_port must be a valid number and is set to <${sshd_config_port}>.")
+  if $sshd_kerberos_authentication != undef {
+    validate_re($sshd_kerberos_authentication, '^(yes|no)$', "ssh::sshd_kerberos_authentication may be either 'yes' or 'no' and is set to <${sshd_kerberos_authentication}>.")
+  }
   validate_re($sshd_password_authentication, '^(yes|no)$', "ssh::sshd_password_authentication may be either 'yes' or 'no' and is set to <${sshd_password_authentication}>.")
   validate_re($sshd_allow_tcp_forwarding, '^(yes|no)$', "ssh::sshd_allow_tcp_forwarding may be either 'yes' or 'no' and is set to <${sshd_allow_tcp_forwarding}>.")
   validate_re($sshd_x11_forwarding, '^(yes|no)$', "ssh::sshd_x11_forwarding may be either 'yes' or 'no' and is set to <${sshd_x11_forwarding}>.")
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index 8a9705e..ee1e612 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -1002,6 +1002,7 @@ describe 'ssh' do
         :sshd_banner_content               => 'textinbanner',
         :sshd_config_xauth_location        => '/opt/ssh/bin/xauth',
         :sshd_config_subsystem_sftp        => '/opt/ssh/bin/sftp',
+        :sshd_kerberos_authentication      => 'no',
         :sshd_password_authentication      => 'no',
         :sshd_allow_tcp_forwarding         => 'no',
         :sshd_x11_forwarding               => 'no',
@@ -1068,6 +1069,7 @@ describe 'ssh' do
     it { should contain_file('sshd_config').with_content(/^XAuthLocation \/opt\/ssh\/bin\/xauth$/) }
     it { should contain_file('sshd_config').with_content(/^Subsystem sftp \/opt\/ssh\/bin\/sftp$/) }
     it { should contain_file('sshd_config').with_content(/^PasswordAuthentication no$/) }
+    it { should contain_file('sshd_config').with_content(/^KerberosAuthentication no$/) }
     it { should contain_file('sshd_config').with_content(/^AllowTcpForwarding no$/) }
     it { should contain_file('sshd_config').with_content(/^X11Forwarding no$/) }
     it { should contain_file('sshd_config').with_content(/^UsePAM no$/) }
@@ -1307,6 +1309,32 @@ describe 'ssh' do
     end
   end
 
+  describe 'with KerberosAuthentication' do
+    ['yes','no'].each do |value|
+      context "set to #{value}" do
+        set param to value
+        it { should contain_file('sshd_config').with_content(/^KerberosAuthentication #{value}$/) }
+      end
+      context 'with KerberosAuthentication set to invalid value on valid osfamily' do
+        let :facts do
+          {
+            :fqdn      => 'monkey.example.com',
+            :osfamily  => 'RedHat',
+            :sshrsakey => 'AAAAB3NzaC1yc2EAAAABIwAAAQEArGElx46pD6NNnlxVaTbp0ZJMgBKCmbTCT3RaeCk0ZUJtQ8wkcwTtqIXmmiuFsynUT0DFSd8UIodnBOPqitimmooAVAiAi30TtJVzADfPScMiUnBJKZajIBkEMkwUcqsfh630jyBvLPE/kyQcxbEeGtbu1DG3monkeymanOBW1AKc5o+cJLXcInLnbowMG7NXzujT3BRYn/9s5vtT1V9cuZJs4XLRXQ50NluxJI7sVfRPVvQI9EMbTS4AFBXUej3yfgaLSV+nPZC/lmJ2gR4t/tKvMFF9m16f8IcZKK7o0rK7v81G/tREbOT5YhcKLK+0wBfR6RsmHzwy4EddZloyLQ=='
+          }
+        end
+        let :params do
+          { :sshd_kerberos_authentication => 'invalid' }
+        end
+
+        it 'should fail' do
+          expect {
+            should contain_class('ssh')
+          }.to raise_error(Puppet::Error,/ssh::sshd_kerberos_authentication may be either \'yes\' or \'no\' and is set to <invalid>\./)
+        end
+      end
+    end
+  end
 
   context 'when ssh_config_template has a nonstandard value' do
     context 'and that value is not valid' do
diff --git a/templates/sshd_config.erb b/templates/sshd_config.erb
index 03feb7b..f5b697c 100644
--- a/templates/sshd_config.erb
+++ b/templates/sshd_config.erb
@@ -104,7 +104,10 @@ PAMAuthenticationViaKBDInt <%= @sshd_pamauthenticationviakbdint_real %>
 ChallengeResponseAuthentication <%= @sshd_config_challenge_resp_auth %>
 
 # Kerberos options
+<% if @sshd_kerberos_authentication != nil -%>
 #KerberosAuthentication no
+KerberosAuthentication <%= @sshd_kerberos_authentication %>
+<% end -%>
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no