diff --git a/authority/config/config.go b/authority/config/config.go
index c764e8f9..ad645b69 100644
--- a/authority/config/config.go
+++ b/authority/config/config.go
@@ -102,6 +102,7 @@ type AuthConfig struct {
 	DisableIssuedAtCheck bool                  `json:"disableIssuedAtCheck,omitempty"`
 	Backdate             *provisioner.Duration `json:"backdate,omitempty"`
 	EnableAdmin          bool                  `json:"enableAdmin,omitempty"`
+	DisableGetSSHHosts   bool                  `json:"disableGetSSHHosts,omitempty"`
 }
 
 // init initializes the required fields in the AuthConfig if they are not
diff --git a/authority/ssh.go b/authority/ssh.go
index 1fd7f2e8..d8d5375c 100644
--- a/authority/ssh.go
+++ b/authority/ssh.go
@@ -602,6 +602,9 @@ func (a *Authority) CheckSSHHost(ctx context.Context, principal, token string) (
 
 // GetSSHHosts returns a list of valid host principals.
 func (a *Authority) GetSSHHosts(ctx context.Context, cert *x509.Certificate) ([]config.Host, error) {
+	if a.GetConfig().AuthorityConfig.DisableGetSSHHosts {
+		return nil, errs.New(http.StatusNotFound, "ssh hosts list api disabled")
+	}
 	if a.sshGetHostsFunc != nil {
 		hosts, err := a.sshGetHostsFunc(ctx, cert)
 		return hosts, errs.Wrap(http.StatusInternalServerError, err, "getSSHHosts")