diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh
index 4a6ab822883..9ac82ace2df 100644
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@@ -220,9 +220,12 @@ mount-master-pd() {
   mkdir -p /mnt/master-pd/srv/kubernetes
   # Contains the cluster's initial config parameters and auth tokens
   mkdir -p /mnt/master-pd/srv/salt-overlay
+  # Directory for kube-apiserver to store SSH key (if necessary)
+  mkdir -p /mnt/master-pd/srv/sshproxy
 
   ln -s -f /mnt/master-pd/var/etcd /var/etcd
   ln -s -f /mnt/master-pd/srv/kubernetes /srv/kubernetes
+  ln -s -f /mnt/master-pd/srv/sshproxy /srv/sshproxy
   ln -s -f /mnt/master-pd/srv/salt-overlay /srv/salt-overlay
 
   # This is a bit of a hack to get around the fact that salt has to run after the
diff --git a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
index f8a903a1452..069df59a5eb 100644
--- a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
+++ b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
@@ -25,7 +25,7 @@
 
 {% set proxy_ssh_options = "" -%}
 {% if grains.proxy_ssh_user is defined -%}
-  {% set proxy_ssh_options = "--ssh-user=" + grains.proxy_ssh_user + " --ssh-keyfile=/sshproxy/.sshkeyfile" -%}
+  {% set proxy_ssh_options = "--ssh-user=" + grains.proxy_ssh_user + " --ssh-keyfile=/srv/sshproxy/.sshkeyfile" -%}
 {% endif -%}
 
 {% set address = "--address=127.0.0.1" -%}
@@ -143,8 +143,8 @@
         { "name": "etcpkitls",
         "mountPath": "/etc/pki/tls",
         "readOnly": true},
-        { "name": "sshproxy",
-        "mountPath": "/sshproxy",
+        { "name": "srvsshproxy",
+        "mountPath": "/srv/sshproxy",
         "readOnly": false}
       ]
     }
@@ -191,8 +191,9 @@
     "hostPath": {
         "path": "/etc/pki/tls"}
   },
-  { "name": "sshproxy",
-    "emptyDir": {}
+  { "name": "srvsshproxy",
+    "hostPath": {
+        "path": "/srv/sshproxy"}
   }
 ]
 }}
diff --git a/pkg/util/ssh.go b/pkg/util/ssh.go
index 82285fd74ac..04f265cf938 100644
--- a/pkg/util/ssh.go
+++ b/pkg/util/ssh.go
@@ -91,7 +91,6 @@ func (s *SSHTunnel) tunnel(conn net.Conn, remoteHost, remotePort string) error {
 }
 
 func (s *SSHTunnel) Close() error {
-	glog.Infof("Closing tunnel for host: %q", s.Host)
 	if err := s.client.Close(); err != nil {
 		return err
 	}
@@ -183,6 +182,9 @@ func (l SSHTunnelList) Open() error {
 	return nil
 }
 
+// Close asynchronously closes all tunnels in the list after waiting for 1
+// minute. Tunnels will still be open upon this function's return, but should
+// no longer be used.
 func (l SSHTunnelList) Close() {
 	for ix := range l {
 		entry := l[ix]
diff --git a/pkg/util/util.go b/pkg/util/util.go
index a6e33774caf..17f56187ea4 100644
--- a/pkg/util/util.go
+++ b/pkg/util/util.go
@@ -515,16 +515,13 @@ func ShortenString(str string, n int) string {
 	} else {
 		return str[:n]
 	}
+}
 
 func FileExists(filename string) (bool, error) {
-	file, err := os.Open(filename)
-	defer file.Close()
-	if err != nil {
-		if os.IsNotExist(err) {
-			return false, nil
-		} else {
-			return false, err
-		}
+	if _, err := os.Stat(filename); os.IsNotExist(err) {
+		return false, nil
+	} else if err != nil {
+		return false, err
 	}
 	return true, nil
 }