diff --git a/site-modules/profile/lib/facter/public_ipaddresses.rb b/site-modules/profile/lib/facter/public_ipaddresses.rb
new file mode 100644
index 00000000..7430b6a4
--- /dev/null
+++ b/site-modules/profile/lib/facter/public_ipaddresses.rb
@@ -0,0 +1,46 @@
+require "ipaddr"
+
+excluded_ranges = [
+  # RFC 1918
+  '10.0.0.0/8',
+  '172.16.0.0/12',
+  '192.168.0.0/16',
+  # Loopback
+  '127.0.0.0/8',
+  '::1/128',
+  # RFC 6598 (CGNAT)
+  '100.64.0.0/10',
+  # Multicast
+  '224.0.0.0/4',
+  'ff00::/8',
+  # Future use
+  '240.0.0.0/4',
+  # IPv6 ULA
+  'fc00::/7',
+  # IPv6 LLA
+  'fe80::/10',
+].map { |x| IPAddr.new(x) }
+
+Facter.add(:public_ipaddresses) do
+  setcode do
+    addresses = []
+    interfaces = Facter.value(:networking).fetch('interfaces', {})
+
+    interfaces.each do |iface, data|
+      [
+        data.fetch('bindings', []),
+        data.fetch('bindings6', []),
+      ].flatten.each do |addr|
+        ip = addr['address']
+        unless ip.nil?
+          addresses.push(ip)
+        end
+      end
+    end
+
+    addresses.uniq.select do |addr|
+      ipaddress = IPAddr.new(addr)
+      not excluded_ranges.any? { |range| range.include?(ipaddress) }
+    end
+  end
+end
diff --git a/site-modules/profile/manifests/ssh/server.pp b/site-modules/profile/manifests/ssh/server.pp
index 72cdf569..855f6a3d 100644
--- a/site-modules/profile/manifests/ssh/server.pp
+++ b/site-modules/profile/manifests/ssh/server.pp
@@ -1,61 +1,82 @@
 # Configure the SSH server
 
 class profile::ssh::server {
   $sshd_port = lookup('ssh::port')
   $sshd_permitrootlogin = lookup('ssh::permitrootlogin')
 
   class { '::ssh::server':
     storeconfigs_enabled => false,
     options              => {
       'PermitRootLogin' => $sshd_permitrootlogin,
       'Port'            => $sshd_port,
     },
   }
 
   $users = lookup('users', Hash, 'deep')
 
   each($users) |$name, $data| {
     if $name == 'root' {
       $home = '/root'
     } else {
       $home = "/home/${name}"
     }
 
     file { "${home}/.ssh":
       ensure  => directory,
       owner   => $name,
       group   => $name,
       mode    => '0600',
       require => [
         User[$name],
         File[$home],
       ],
     }
 
     if $data['authorized_keys'] {
       each($data['authorized_keys']) |$nick, $key| {
         ssh_authorized_key { "${name} ${nick}":
           ensure  => 'present',
           user    => $name,
           key     => $key['key'],
           type    => $key['type'],
           require => File["${home}/.ssh"],
         }
       }
     }
   }
 
   each($::ssh) |$algo, $data| {
     $real_algo = $algo ? {
       'ecdsa' => 'ecdsa-sha2-nistp256',
       default => $algo,
     }
+
+    $aliases = [
+      values($::swh_hostname),
+      ip_for_network(lookup('internal_network')),
+      $::public_ipaddresses,
+    ]
+    .flatten
+    .unique
+    .filter |$x| { !!$x } # filter empty values
+    .map |$x| {
+      case $sshd_port {
+        22: {
+          case $x {
+            /:/: { "[${x}]" } # bracket IPv6 addresses
+            default: { $x }
+          }
+        }
+        default: { "[${x}]:${sshd_port}" } # specify non-default ssh port
+      }
+    }
+
     @@sshkey {"ssh-${::fqdn}-${real_algo}":
-      host_aliases => unique(values($::swh_hostname)),
+      host_aliases => $aliases,
       type         => $real_algo,
       key          => $data['key'],
     }
   }
 
   Sshkey <<| |>>
 }