diff --git a/roles/sudo/defaults/main.yml b/roles/sudo/defaults/main.yml
index 11f2f29..8c649fe 100644
--- a/roles/sudo/defaults/main.yml
+++ b/roles/sudo/defaults/main.yml
@@ -1 +1,5 @@
+sudo_use_pam_ssh_agent: false
+sudo_packages:
+- sudo
+- '{% if sudo_use_pam_ssh_agent %}pam_ssh_agent_auth{% endif %}'
 admin_users: []
diff --git a/roles/sudo/tasks/main.yml b/roles/sudo/tasks/main.yml
index 027d6f4..bba57e2 100644
--- a/roles/sudo/tasks/main.yml
+++ b/roles/sudo/tasks/main.yml
@@ -1,7 +1,7 @@
-- name: ensure sudo is installed
+- name: ensure sudo packages are installed
   package:
-    name=sudo
-    state=present
+    name: '{{ sudo_packages|reject("eq", "") }}'
+    state: present
   tags:
   - install
 
@@ -25,3 +25,52 @@
   file:
     path=/etc/sudoers.d/sudo
     state=absent
+
+- name: ensure pam is configured for sudo
+  template:
+    src: sudo.pam.conf
+    dest: /etc/pam.d/sudo
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  tags:
+  - pam-ssh-agent
+
+- name: ensure sudo authorized ssh_keys are configured
+  copy:
+    dest: /etc/security/sudo.authorized_keys
+    content: '{{ sudo_authorized_ssh_keys }}'
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  when: sudo_use_pam_ssh_agent
+  tags:
+  - pam-ssh-agent
+  - pam-ssh-agent-keys
+- name: ensure sudo authorized ssh_keys are not configured
+  file:
+    path: /etc/security/sudo.sshkeys
+    state: absent
+  when: not sudo_use_pam_ssh_agent
+  tags:
+  - pam-ssh-agent
+  - pam-ssh-agent-keys
+
+# Upstream documentation says this is only required for "old" versions
+# of sudo, however without it, SSH key authentication always fails.  I
+# suspect it is only unnecessary when users originally authenticated to
+# the SSH daemon using a public key, but required for other forms of
+# authentication, such as GSSAPI.
+- name: ensure sudo is configured for pam_ssh_agent_auth
+  copy:
+    dest: /etc/sudoers.d/ssh-auth-sock
+    content: |+
+      {% if sudo_use_pam_ssh_agent %}
+      Defaults   env_keep += "SSH_AUTH_SOCK"
+      {% endif %}
+    mode: u=rw,g=r,o=
+    owner: root
+    group: root
+    validate: visudo -cf %s
+  tags:
+  - pam-ssh-agent
diff --git a/roles/sudo/templates/sudo.pam.conf b/roles/sudo/templates/sudo.pam.conf
new file mode 100644
index 0000000..d8e6648
--- /dev/null
+++ b/roles/sudo/templates/sudo.pam.conf
@@ -0,0 +1,10 @@
+#%PAM-1.0
+{% if sudo_use_pam_ssh_agent %}
+-auth      sufficient   pam_ssh_agent_auth.so file=/etc/security/sudo.authorized_keys
+{% endif %}
+auth       include      system-auth
+account    include      system-auth
+password   include      system-auth
+session    optional     pam_keyinit.so revoke
+session    required     pam_limits.so
+session    include      system-auth