diff --git a/roles/pam_sshd/templates/loginnodes_sshd.j2 b/roles/pam_sshd/templates/loginnodes_sshd.j2
index 0b73a8cf8b40633aab0a55f2be817562d6eb0391..b22b0bbf48e20d017775386ebe213732c954b612 100644
--- a/roles/pam_sshd/templates/loginnodes_sshd.j2
+++ b/roles/pam_sshd/templates/loginnodes_sshd.j2
@@ -4,7 +4,7 @@ auth       substack     password-auth
 auth       include      postlogin
 # Used with polkit to reauthorize users in remote sessions
 -auth      optional     pam_reauthorize.so prepare
-account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup systems
+account    sufficient   pam_access.so
 account    required     pam_nologin.so
 account    include      password-auth
 password   include      password-auth