diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
index 394169c3..94d8580c 100644
--- a/roles/ssh_hardening/README.md
+++ b/roles/ssh_hardening/README.md
@@ -138,6 +138,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: Specifies whether challenge-response authentication is allowed (e.g. via PAM).
   - Type: bool
   - Required: no
+- `ssh_ciphers_config`
+  - Default: `true`
+  - Description: Whether or not configuring the ciphers of the server.
+  - Type: bool
+  - Required: no
 - `ssh_ciphers`
   - Default: ``
   - Description: Change this list to overwrite ciphers. Defaults found in `defaults/main.yml`
@@ -238,6 +243,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: Host certificates to look for when starting sshd
   - Type: list
   - Required: no
+- `ssh_host_key_config`
+  - Default: `true`
+  - Description: Whether or not configuring the host keys of that the server offers.
+  - Type: bool
+  - Required: no
 - `ssh_host_key_algorithms`
   - Default: ``
   - Description: Host key algorithms that the server offers. If empty the default list will be used. Otherwise overrides the setting with specified list of algorithms. Check `man sshd_config`, `ssh -Q HostKeyAlgorithms` or other sources for supported algorithms - make sure you check the correct version
@@ -258,6 +268,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: Set to `true` if SSH has Kerberos support.
   - Type: bool
   - Required: no
+- `ssh_kex_config`
+  - Default: `true`
+  - Description: Whether or not configuring the kexs of the server.
+  - Type: bool
+  - Required: no
 - `ssh_kex`
   - Default: ``
   - Description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
@@ -273,6 +288,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: specifies the time allowed for successful authentication to the SSH server.
   - Type: str
   - Required: no
+- `ssh_macs_config`
+  - Default: `true`
+  - Description: Whether or not configuring the macs of the server.
+  - Type: bool
+  - Required: no
 - `ssh_macs`
   - Default: ``
   - Description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
diff --git a/roles/ssh_hardening/defaults/main.yml b/roles/ssh_hardening/defaults/main.yml
index d70b8da6..e34f447b 100644
--- a/roles/ssh_hardening/defaults/main.yml
+++ b/roles/ssh_hardening/defaults/main.yml
@@ -40,6 +40,9 @@ ssh_client_port: "22" # ssh
 # Default is empty, but should be configured for security reasons!
 ssh_listen_to: [0.0.0.0] # sshd
 
+# Whether or not configuring and generating the host keys files
+ssh_host_key_config: true # sshd
+
 # Host keys to look for when starting sshd.
 ssh_host_key_files: [] # sshd
 
@@ -206,6 +209,10 @@ ssh_max_startups: 10:30:60 # sshd
 
 ssh_ps59: sandbox
 
+# Whether or not configuring the macs, cihers and kex algorithms
+ssh_macs_config: true      # sshd
+ssh_ciphers_config: true
+ssh_kex_config: true
 ssh_macs: []
 ssh_ciphers: []
 ssh_kex: []
diff --git a/roles/ssh_hardening/meta/argument_specs.yml b/roles/ssh_hardening/meta/argument_specs.yml
index 243768d8..42439604 100644
--- a/roles/ssh_hardening/meta/argument_specs.yml
+++ b/roles/ssh_hardening/meta/argument_specs.yml
@@ -28,6 +28,10 @@ argument_specs:
         description: one or more ip addresses, to which ssh-server should listen to.
           Default is all IPv4 addresses, but should be configured to specific addresses
           for security reasons
+      ssh_host_key_config:
+        default: true
+        type: bool
+        description: Whether or not configuring the host keys of that the server offers.
       ssh_host_key_files:
         default: []
         type: list
@@ -317,14 +321,26 @@ argument_specs:
         default: 10:30:60
         description: Specifies the maximum number of concurrent unauthenticated connections
           to the SSH daemon.
+      ssh_macs_config:
+        default: true
+        description: Whether or not configuring the macs of the server.
+        type: bool
       ssh_macs:
         default: []
         type: list
         description: Change this list to overwrite macs. Defaults found in `defaults/main.yml`
+      ssh_kex_config:
+        default: true
+        description: Whether or not configuring the kexs of the server.
+        type: bool
       ssh_kex:
         default: []
         type: list
         description: Change this list to overwrite kexs. Defaults found in `defaults/main.yml`
+      ssh_ciphers_config:
+        default: true
+        description: Whether or not configuring the ciphers of the server.
+        type: bool
       ssh_ciphers:
         default: []
         type: list
diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml
index 3b09c5c3..0b3843de 100644
--- a/roles/ssh_hardening/tasks/hardening.yml
+++ b/roles/ssh_hardening/tasks/hardening.yml
@@ -39,19 +39,26 @@
   ansible.builtin.include_tasks: crypto_hostkeys.yml
   when:
     - ssh_server_hardening | bool
+    - ssh_host_key_config
     - not ssh_host_key_files
 
 - name: Set default for ssh_macs if not supplied
   ansible.builtin.include_tasks: crypto_macs.yml
-  when: not ssh_macs
+  when:
+    - ssh_macs_config
+    - not ssh_macs
 
 - name: Set default for ssh_ciphers if not supplied
   ansible.builtin.include_tasks: crypto_ciphers.yml
-  when: not ssh_ciphers
+  when:
+    - ssh_ciphers_config
+    - not ssh_ciphers
 
 - name: Set default for ssh_kex if not supplied
   ansible.builtin.include_tasks: crypto_kex.yml
-  when: not ssh_kex
+  when:
+    - ssh_kex_config
+    - not ssh_kex
 
 - name: Create revoked_keys and set permissions to root/600
   ansible.builtin.template:
diff --git a/roles/ssh_hardening/templates/opensshd.conf.j2 b/roles/ssh_hardening/templates/opensshd.conf.j2
index 4ac0e713..fd28ffb4 100644
--- a/roles/ssh_hardening/templates/opensshd.conf.j2
+++ b/roles/ssh_hardening/templates/opensshd.conf.j2
@@ -34,7 +34,7 @@ ListenAddress {{ address }}
 {% endfor %}
 
 # HostKeys are listed here.
-{% for key in ssh_host_key_files %}
+{% for key in ssh_host_key_files if ssh_host_key_config%}
 HostKey {{ key }}
 {% endfor %}
 
@@ -73,14 +73,14 @@ LogLevel {{ sshd_log_level }}
 # -- see: (http://net-ssh.github.com/net-ssh/classes/Net/SSH/Transport/CipherFactory.html)
 #
 {# This outputs 'Ciphers <list-of-ciphers>' if ssh_ciphers is defined or '#Ciphers' if ssh_ciphers is undefined -#}
-{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers else 'Ciphers'|comment }}
+{{ 'Ciphers ' ~ ssh_ciphers|join(',') if ssh_ciphers and ssh_ciphers_config else 'Ciphers'|comment }}
 
 # **Hash algorithms** -- SHA-1 is formally deprecated by NIST in 2011 because of security issues.
 # Weak HMAC is sometimes required if older package versions are used
 # eg Ruby's Net::SSH at around 2.2.* doesn't support sha2 for hmac, so this will have to be set true in this case.
 #
 {# This outputs 'MACs <list-of-macs>' if ssh_macs is defined or '#MACs' if ssh_macs is undefined -#}
-{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs else 'MACs'|comment }}
+{{ 'MACs ' ~ ssh_macs|join(',') if ssh_macs and ssh_macs_config else 'MACs'|comment }}
 
 {% if sshd_version is version('5.9', '<') %}
 # Alternative setting, if OpenSSH version is below v5.9
@@ -93,7 +93,7 @@ LogLevel {{ sshd_log_level }}
 # based on: https://bettercrypto.org/static/applied-crypto-hardening.pdf
 #
 {# This outputs 'KexAlgorithms <list-of-algos>' if ssh_kex is defined or '#KexAlgorithms' if ssh_kex is undefined #}
-{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex else 'KexAlgorithms'|comment }}
+{{ 'KexAlgorithms ' ~ ssh_kex|join(',') if ssh_kex and ssh_kex_config else 'KexAlgorithms'|comment }}
 
 # Authentication
 # --------------