diff --git a/cmd/serv.go b/cmd/serv.go
index f7fcbc1967ca..8bd2f6c65c10 100644
--- a/cmd/serv.go
+++ b/cmd/serv.go
@@ -287,6 +287,9 @@ func runServ(c *cli.Context) error {
 			if !setting.LFS.StartServer {
 				return fail(ctx, "Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled")
 			}
+			if verb == verbLfsTransfer && !setting.LFS.AllowPureSSH {
+				return fail(ctx, "Unknown git command", "LFS SSH transfer connection denied, pure SSH protocol is disabled")
+			}
 			if len(words) > 2 {
 				lfsVerb = words[2]
 			}
diff --git a/modules/setting/lfs.go b/modules/setting/lfs.go
index 2034ef782c22..6bdcbed91d90 100644
--- a/modules/setting/lfs.go
+++ b/modules/setting/lfs.go
@@ -13,6 +13,7 @@ import (
 // LFS represents the configuration for Git LFS
 var LFS = struct {
 	StartServer    bool          `ini:"LFS_START_SERVER"`
+	AllowPureSSH   bool          `ini:"LFS_ALLOW_PURE_SSH"`
 	JWTSecretBytes []byte        `ini:"-"`
 	HTTPAuthExpiry time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"`
 	MaxFileSize    int64         `ini:"LFS_MAX_FILE_SIZE"`