diff --git a/openssh.spec b/openssh.spec
index 841d818..1f1829d 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -748,6 +748,7 @@ test -f %{sysconfig_anaconda} && \
 %changelog
 * Thu May 09 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-10
 - Correctly audit hostname and IP address
+- Make default key sizes configurable in sshd-keygen
 
 * Wed Apr 24 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.6p1-1.9
 - Use OpenSSL SSH KDF implementation - s390x fixup
diff --git a/sshd-keygen b/sshd-keygen
index 170ada0..b15fc8c 100644
--- a/sshd-keygen
+++ b/sshd-keygen
@@ -9,8 +9,14 @@ case $KEYTYPE in
 		if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
 			exit 0
 		fi ;;
-	"rsa") ;; # always ok
-	"ecdsa") ;;
+	"rsa")
+		if [[ ! -z $SSH_RSA_BITS  ]]; then
+			SSH_KEYGEN_OPTIONS="-b $SSH_RSA_BITS"
+		fi ;; # always ok
+	"ecdsa") 
+		if [[ ! -z $SSH_ECDSA_BITS  ]]; then
+			SSH_KEYGEN_OPTIONS="-b $SSH_ECDSA_BITS"
+		fi ;;
 	*) # wrong argument
 		exit 12 ;;
 esac
@@ -25,7 +31,7 @@ fi
 rm -f $KEY{,.pub}
 
 # create new keys
-if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
+if ! $KEYGEN -q -t $KEYTYPE $SSH_KEYGEN_OPTIONS -f $KEY -C '' -N '' >&/dev/null; then
 	exit 1
 fi
 
diff --git a/sshd.sysconfig b/sshd.sysconfig
index a217ce7..ee44ae6 100644
--- a/sshd.sysconfig
+++ b/sshd.sysconfig
@@ -5,3 +5,6 @@
 # example using  systemctl enable sshd-keygen@dsa.service  to allow creation
 # of DSA key or  systemctl mask sshd-keygen@rsa.service  to disable RSA key
 # creation.
+
+#SSH_RSA_BITS=3072
+#SSH_ECDSA_BITS=256