diff --git a/component/githosts.jsonnet b/component/githosts.jsonnet
index 21773f8..62b1b8c 100644
--- a/component/githosts.jsonnet
+++ b/component/githosts.jsonnet
@@ -10,11 +10,14 @@ local params = inv.parameters.lieutenant;
     metadata+: {
       namespace: params.namespace,
     },
-    stringData: {
-      endpoint: params.githosts[name].endpoint,
-      token: params.githosts[name].token,
-      hostKeys: params.githosts[name].host_keys,
-    },
+    stringData:
+      local gh = params.githosts[name];
+      {
+        endpoint: gh.endpoint,
+        token: gh.token,
+        hostKeys: gh.host_keys,
+        [if std.objectHas(gh, 'ssh_endpoint') then 'sshEndpoint']: gh.ssh_endpoint,
+      },
   }
   for name in std.objectFields(params.githosts)
 }
diff --git a/docs/modules/ROOT/pages/how-tos/setup-githost.adoc b/docs/modules/ROOT/pages/how-tos/setup-githost.adoc
index e2cde2b..7cb5e83 100644
--- a/docs/modules/ROOT/pages/how-tos/setup-githost.adoc
+++ b/docs/modules/ROOT/pages/how-tos/setup-githost.adoc
@@ -29,11 +29,14 @@ With the token added to Vault it can now be referenced by the GitHost configurat
 githosts:
   your-gitlab:
     endpoint: https://git.yourdomain.net/
+    ssh_endpoint: ssh://gitlab-ssh.yourdomain.net <1>
     token: '?{vaultkv:${cluster:tenant}/${cluster:name}/lieutenant/githosts/your-gitlab/token}'
     host_keys: |
       git.yourdomain.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnE1dMkh+3uHWck+cTvQqeNUW0lj1uVcIC9JX2Tg6gmkKCYA73+o+I7vo4g6nPtSOAfITvYdHJLzwE9GwlSFsXHMR9q0ErWl2wC+w6FawLMz9//5XqiBi2qq/8WnWp3ecY16jDoGRW4eymT+USFHKJVi696XBy3WE/0BBapPZ58WPqkKN6A27qkIK6FehI80f+zN4ZqikdwWuCFs35fsimcmLnWqWPm8zbOkgCiB+ov4O/xmRNHwJWCk/qzU6X/M9YtMXzAa5mjwDvcHSAizFD3a3Fv68G1VsmRZ0THLrRKM/WOxrWNZoimSNgyjTzoCwiKeckvL5+hpNcNSW+eBPt
       git.yourdomain.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO9EkPcVdsz/oVTI2VJkBlq8Mv/dg3rhcbgzAEKyiwUG
 ----
+<1> `ssh_endpoint` is optional. If omitted, the operator uses the same host as `endpoint` for SSH.
+Provide a full SSH URL (for example `ssh://gitlab-ssh.example.com`) or just a host name.
 
 The `host_keys` need to contain the SSH public keys of your GitLab server.
 You can get these easily with:
diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
index 4519e36..5e5b8fd 100644
--- a/docs/modules/ROOT/pages/references/parameters.adoc
+++ b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -320,10 +320,14 @@ A list of GitLab instances Lieutenant will be able to connect to for repository
 A GitLab token with `api` scope need to be accessible through Vault.
 See the xref:how-tos/setup-githost.adoc[setup githost] how-to for further details.
 
+`ssh_endpoint` is optional. If omitted, the operator uses the same host as `endpoint` for SSH.
+Provide a full SSH URL (for example `ssh://gitlab-ssh.example.com`) or just a host name.
+
 ----
 githosts:
   gitlab-vshn:
     endpoint: https://git.vshn.net/
+    ssh_endpoint: ssh://gitlab-ssh.vshn.net
     token: '?{vaultkv:${cluster:tenant}/${cluster:name}/lieutenant/githosts/gitlab-vshn/token}'
     host_keys: |
       git.vshn.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnE1dMkh+3uHWck+cTvQqeNUW0lj1uVcIC9JX2Tg6gmkKCYA73+o+I7vo4g6nPtSOAfITvYdHJLzwE9GwlSFsXHMR9q0ErWl2wC+w6FawLMz9//5XqiBi2qq/8WnWp3ecY16jDoGRW4eymT+USFHKJVi696XBy3WE/0BBapPZ58WPqkKN6A27qkIK6FehI80f+zN4ZqikdwWuCFs35fsimcmLnWqWPm8zbOkgCiB+ov4O/xmRNHwJWCk/qzU6X/M9YtMXzAa5mjwDvcHSAizFD3a3Fv68G1VsmRZ0THLrRKM/WOxrWNZoimSNgyjTzoCwiKeckvL5+hpNcNSW+eBPt