diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml
index aebd373..86e6f72 100644
--- a/roles/sshd/tasks/main.yml
+++ b/roles/sshd/tasks/main.yml
@@ -1,6 +1,20 @@
 ---
 
+- name: disable AllowAgentForwarding
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?AllowAgentForwarding'
+    line: 'AllowAgentForwarding no'
+    validate: "sshd -t -f %s"
+  notify: restart sshd
 
+- name: disable ChallengeResponseAuthentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?ChallengeResponseAuthentication'
+    line: 'ChallengeResponseAuthentication no'
+    validate: "sshd -t -f %s"
+  notify: restart sshd
 
 # based on mozilla recommended settings
 #   https://infosec.mozilla.org/guidelines/openssh.html