diff --git a/system/options.nix b/system/options.nix
index 9b500a20e921..a5bc2f1608db 100644
--- a/system/options.nix
+++ b/system/options.nix
@@ -797,6 +797,15 @@
         ";
       };
 
+      permitRootLogin = mkOption {
+        default = "yes";
+	description = "
+	  Whether the root user can login using ssh. Valid options
+	  are <command>yes</command>, <command>without-password</command>,
+	  <command>forced-commands-only</command> or
+	  <command>no</command>
+	";
+      };
     };
 
     lshd = {
diff --git a/upstart-jobs/default.nix b/upstart-jobs/default.nix
index fd132621b827..708e14d2894b 100644
--- a/upstart-jobs/default.nix
+++ b/upstart-jobs/default.nix
@@ -137,6 +137,7 @@ let
       inherit nssModulesPath;
       forwardX11 = config.services.sshd.forwardX11;
       allowSFTP = config.services.sshd.allowSFTP;
+      permitRootLogin = config.services.sshd.permitRootLogin;
     })
 
   # GNU lshd SSH2 deamon.
diff --git a/upstart-jobs/sshd.nix b/upstart-jobs/sshd.nix
index be58b91351fc..f8a2f46646f7 100644
--- a/upstart-jobs/sshd.nix
+++ b/upstart-jobs/sshd.nix
@@ -1,8 +1,13 @@
 { writeText, openssh, glibc, xauth
 , nssModulesPath
-, forwardX11, allowSFTP
+, forwardX11, allowSFTP, permitRootLogin
 }:
 
+assert permitRootLogin == "yes" ||
+       permitRootLogin == "without-password" ||
+       permitRootLogin == "forced-commands-only" ||
+       permitRootLogin == "no";
+       
 let
 
   sshdConfig = writeText "sshd_config" ''
@@ -21,6 +26,8 @@ let
     " else "
     "}
     
+    PermitRootLogin ${permitRootLogin}
+    
   '';
 
   sshdUid = (import ../system/ids.nix).uids.sshd;