diff --git a/defaults/main.yml b/defaults/main.yml
index 6019052..c6ac4b0 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -60,6 +60,7 @@ sshd:
   allowed_groups:
     - "root"
     - "admins"
+  xforwarding: True
 
 #
 ### Forcing only ed25519 SSH keys
diff --git a/tasks/main.yml b/tasks/main.yml
index a523a3a..5cf0866 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -31,31 +31,20 @@
     backup: yes
   notify:
     - systemctrl restart ssh
+
+- name: Generate new ssh host key pair if necessary
+  become: yes
+  command: ssh-keygen -t ecdsa -f 'ssh_host_{{ item }}_key' -P '' -q
+  args:
+    chdir: '/etc/ssh/'
+    creates: 'ssh_host_{{ item }}_key.pub'
+  notify:
+    - systemctrl restart ssh
+  with_items: "{{ sshd.key_types }}"
+  when:
+    - sshd.manage_key_types | bool
 - pause:
 
-
-- name: Generate new ecdsa ssh host key pair if necessary
-  become: yes
-  command: ssh-keygen -t ecdsa -f 'ssh_host_ecdsa_key' -P '' -q
-  args:
-    chdir: '/etc/ssh/'
-    creates: 'ssh_host_ecdsa_key.pub'
-  notify:
-    - systemctrl restart ssh
-  when:
-    - generate_ecdsa_too | bool
-
-- name: Generate new ed25519 ssh host key pair if necessary
-  become: yes
-  command: ssh-keygen -t ed25519 -f 'ssh_host_ed25519_key' -P '' -q
-  args:
-    chdir: '/etc/ssh/'
-    creates: 'ssh_host_ed25519_key.pub'
-  notify:
-    - systemctrl restart ssh
-  when:
-    - ansible_distribution_release != 'wheezy'
-
 - name: Remove unwanted host keys
   become: yes
   file:
@@ -66,10 +55,6 @@
     - dsa
   notify:
     - systemctrl restart ssh
-  when:
-    - generate_ecdsa_too | bool
-    - ansible_distribution_release != 'wheezy'
-    - do_not_delete_legacy_ssh_keys | bool
 
 - name: Remove unwanted host keys
   become: yes
diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2
index c464fa1..2fa4e6a 100644
--- a/templates/sshd_config.j2
+++ b/templates/sshd_config.j2
@@ -58,6 +58,12 @@ PubkeyAuthentication yes
 PermitRootLogin without-password
 LoginGraceTime 120
 StrictModes yes
+X11Forwarding
+{%- if sshd.xforwarding | bool -%}
+  {{ ' yes' }}
+{% else -%}
+  {{ ' no' }}
+{% endif %}
 
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
diff --git a/vars/default.yml b/vars/default.yml
index 2cb66f3..8e9b655 100644
--- a/vars/default.yml
+++ b/vars/default.yml
@@ -1,2 +1,4 @@
 ---
 sshd_service: ssh
+sshd_xauth:
+  - xorg-xauth