diff --git a/rattail_fabric2/ssh.py b/rattail_fabric2/ssh.py
index 09b7ec2..cfbe8e1 100644
--- a/rattail_fabric2/ssh.py
+++ b/rattail_fabric2/ssh.py
@@ -50,6 +50,7 @@ def configure(c, allow_root=False):
     path = '/etc/ssh/sshd_config'
 
     # PermitRootLogin no (or without-password)
+    # TODO: this probably needs the same treatment as PasswordAuthentication got
     if c.run("grep '^PermitRootLogin ' {}".format(path), warn=True).failed:
         c.sudo('sed -i.bak -e "s/^#PermitRootLogin .*/PermitRootLogin {}/" {}'.format(
             'without-password' if allow_root else 'no', path))
@@ -59,8 +60,11 @@ def configure(c, allow_root=False):
 
     # PasswordAuthentication no
     if c.run("grep '^PasswordAuthentication ' {}".format(path), warn=True).failed:
-        c.sudo('sed -i.bak -e "s/^#?PasswordAuthentication .*/PasswordAuthentication no/" {}'.format(path))
+        if c.run("grep '^#PasswordAuthentication ' {}".format(path), warn=True).failed:
+            c.sudo("""bash -c 'echo "PasswordAuthentication no" >> /etc/ssh/sshd_config'""")
+        else:
+            c.sudo("sed -i.bak -e 's/^#PasswordAuthentication .*/PasswordAuthentication no/' {}".format(path))
     else:
-        c.sudo('sed -i.bak -e "s/^PasswordAuthentication .*/PasswordAuthentication no/" {}'.format(path))
+        c.sudo("sed -i.bak -e 's/^PasswordAuthentication .*/PasswordAuthentication no/' {}".format(path))
 
     restart(c)