diff --git a/main.tf b/main.tf
index 8e89821..2377ba1 100644
--- a/main.tf
+++ b/main.tf
@@ -38,6 +38,11 @@ chpasswd:
   expire: False
 %{endif~}
 
+%{if var.allow_root_ssh_pwauth != null && var.allow_root_ssh_pwauth == true}
+bootcmd:
+  - 'echo "PermitRootLogin yes" >> /etc/ssh/sshd_config.d/99-allow-root-ssh-pwauth.conf'
+
+%{endif}
 EOT
 }
 
diff --git a/variables.tf b/variables.tf
index c1101b2..415b0ff 100644
--- a/variables.tf
+++ b/variables.tf
@@ -23,6 +23,11 @@ variable "disable_root" {
   default = true
 }
 
+variable "allow_root_ssh_pwauth" {
+  type    = bool
+  default = false
+}
+
 variable "root_password" {
   type    = string
   default = ""