diff --git a/puppet/zulip_ops/files/install-ssh-authorized-keys b/puppet/zulip_ops/files/install-ssh-authorized-keys
index 9e1c48c883..75b23aed4d 100644
--- a/puppet/zulip_ops/files/install-ssh-authorized-keys
+++ b/puppet/zulip_ops/files/install-ssh-authorized-keys
@@ -1,6 +1,22 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+args="$(getopt -o '' --long check -- "$@")"
+eval "set -- $args"
+check=false
+while true; do
+    case "$1" in
+        --check)
+            check=true
+            shift
+            ;;
+        --)
+            shift
+            break
+            ;;
+    esac
+done
+
 username="$1"
 ssh_secret_name="$2"
 
@@ -21,7 +37,7 @@ trap cleanup EXIT
 chmod 644 "$workfile"
 chown "$username:$username" "$workfile"
 
-if [ "$#" -gt 2 ]; then
+if [ "$check" = "true" ]; then
     diff -N "$workfile" "$sshdir/authorized_keys"
     exit 0
 fi
diff --git a/puppet/zulip_ops/manifests/ssh_authorized_keys.pp b/puppet/zulip_ops/manifests/ssh_authorized_keys.pp
index 5b494c9d7c..80c0b7ddd0 100644
--- a/puppet/zulip_ops/manifests/ssh_authorized_keys.pp
+++ b/puppet/zulip_ops/manifests/ssh_authorized_keys.pp
@@ -10,6 +10,6 @@ define zulip_ops::ssh_authorized_keys(
   exec { "ssh_authorized_keys ${user}":
     require => File['/usr/local/bin/install-ssh-authorized-keys'],
     command => "/usr/local/bin/install-ssh-authorized-keys ${user} ${keypath}",
-    unless  => "[ -f /usr/local/bin/install-ssh-authorized-keys ] && /usr/local/bin/install-ssh-authorized-keys ${user} ${keypath} check",
+    unless  => "[ -f /usr/local/bin/install-ssh-authorized-keys ] && /usr/local/bin/install-ssh-authorized-keys --check ${user} ${keypath}",
   }
 }