diff --git a/README.md b/README.md
index 02db69d..a897488 100755
--- a/README.md
+++ b/README.md
@@ -85,6 +85,10 @@ The following environment variables are supported:
 
    If these are set, they are use to configure `wpa_supplicant.conf`, so that the raspberry pi can automatically connect to a wifi network on first boot.
 
+ * `ENABLE_SSH` (Default: `0`)
+
+   Setting to `1` will enable ssh server for remote log in. Note that if you are using a common password such as the defaults there is a high risk of attackers taking over you RaspberryPi.
+
 A simple example for building Raspbian:
 
 ```bash
diff --git a/build.sh b/build.sh
index 6d7a8c9..0f36071 100755
--- a/build.sh
+++ b/build.sh
@@ -146,6 +146,7 @@ export FIRST_USER_PASS=${FIRST_USER_PASS:-raspberry}
 export WPA_ESSID
 export WPA_PASSWORD
 export WPA_COUNTRY
+export ENABLE_SSH="${ENABLE_SSH:-0}"
 
 export BASE_DIR
 
diff --git a/stage2/01-sys-tweaks/01-run.sh b/stage2/01-sys-tweaks/01-run.sh
index 8fb99c1..8d28adc 100755
--- a/stage2/01-sys-tweaks/01-run.sh
+++ b/stage2/01-sys-tweaks/01-run.sh
@@ -15,7 +15,11 @@ on_chroot << EOF
 systemctl disable hwclock.sh
 systemctl disable nfs-common
 systemctl disable rpcbind
-systemctl disable ssh
+if [ "${ENABLE_SSH}" == "1" ]; then
+	systemctl enable ssh
+else
+	systemctl disable ssh
+fi
 systemctl enable regenerate_ssh_host_keys
 EOF