diff --git a/admin-guide/puppet/profiles/ssh_server.rst b/admin-guide/puppet/profiles/ssh_server.rst
index 6c229cad..bfb38333 100644
--- a/admin-guide/puppet/profiles/ssh_server.rst
+++ b/admin-guide/puppet/profiles/ssh_server.rst
@@ -10,12 +10,20 @@ Parameters
 ====================  ========  =============================================
 **Name**              **Type**  **Default**
 --------------------  --------  ---------------------------------------------
+enable_public_key     bool      hiera('ssh_server::enable_public_key', true)
 enable_gssapi         bool      hiera('ssh_server::enable_gssapi')
 permit_root_login     string    hiera('ssh_server::permit_root_login')
 trusted_user_ca_keys  list      hiera('ssh_server::trusted_user_ca_keys', [])
 user_ca_keys          hash      hiera('ssh_server::user_ca_keys', {})
 ====================  ========  =============================================
 
+``enable_gssapi``
+~~~~~~~~~~~~~~~~~
+
+A boolean determining whether public key authentication is enabled or not for normal users.
+
+Note that ``root`` is still allowed to connect using public key authentication. Here you may block root login with ``ssh_server::permit_root_login`` or restrict from where to allow root login (see bastion hosts ``aaa::bastions`` and ``aaa::use_bastions``).
+
 
 ``enable_gssapi``
 ~~~~~~~~~~~~~~~~~