diff --git a/roles/pam_slurm/tasks/main.yml b/roles/pam_slurm/tasks/main.yml
deleted file mode 100644
index 8a13ab12a174e0fbb953a12ffcdaae7eccf8a060..0000000000000000000000000000000000000000
--- a/roles/pam_slurm/tasks/main.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-- name: "Copy access.conf"
-  template: src=access.conf.j2 dest=/etc/security/access.conf
-  become: true
-  become_user: root
-
-- name: "Copy password sshd pam config"
-  template: src=sshd.j2 dest=/etc/pam.d/sshd
-  become: true
-  become_user: root
-
diff --git a/roles/pam_sshd/README.md b/roles/pam_sshd/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..7f4546b473b4943f5a5b484d3868fe739ffd004f
--- /dev/null
+++ b/roles/pam_sshd/README.md
@@ -0,0 +1,9 @@
+Install an sshd PAM config definition
+
+we leverage pam_access to ensure that the ec2-user and members of the systems group and always login
+
+we use nologin on the login nodes during maintaince to retrict user login
+
+we use pam_slurm_adopt on the compute nodes so that only users with running jobs can login a given node.
+
+default is to configure as a login node. Use the variable computenodepam to config as a compute node (i.e. enable pam_slurm_adopt)
diff --git a/roles/pam_sshd/tasks/main.yml b/roles/pam_sshd/tasks/main.yml
index c445a9267c2fafc48cbdfa4bec31a1c455e7575d..25e9b257afaf38a05b7d675ae2556038ae84bd45 100644
--- a/roles/pam_sshd/tasks/main.yml
+++ b/roles/pam_sshd/tasks/main.yml
@@ -1,5 +1,18 @@
+---
+- name: "Copy access.conf"
+  template: src=access.conf.j2 dest=/etc/security/access.conf
+  become: true
+  become_user: root
+
 - name: "Copy password sshd pam config"
-  template: src=sshd.j2 dest=/etc/pam.d/sshd
+  template: src=loginnodes_sshd.j2 dest=/etc/pam.d/sshd
   become: true
   become_user: root
+  when: computenodepam is undefined or not computenodepam 
+
 
+- name: "Copy password sshd pam config"
+  template: src=computenodes_sshd.j2 dest=/etc/pam.d/sshd
+  become: true
+  become_user: root
+  when: computenodepam is defined and computenodepam 
diff --git a/roles/pam_slurm/templates/access.conf.j2 b/roles/pam_sshd/templates/access.conf.j2
similarity index 100%
rename from roles/pam_slurm/templates/access.conf.j2
rename to roles/pam_sshd/templates/access.conf.j2
diff --git a/roles/pam_slurm/templates/sshd.j2 b/roles/pam_sshd/templates/computenodes_sshd.j2
similarity index 100%
rename from roles/pam_slurm/templates/sshd.j2
rename to roles/pam_sshd/templates/computenodes_sshd.j2
diff --git a/roles/pam_sshd/templates/sshd.j2 b/roles/pam_sshd/templates/loginnodes_sshd.j2
similarity index 91%
rename from roles/pam_sshd/templates/sshd.j2
rename to roles/pam_sshd/templates/loginnodes_sshd.j2
index 0b73a8cf8b40633aab0a55f2be817562d6eb0391..b22b0bbf48e20d017775386ebe213732c954b612 100644
--- a/roles/pam_sshd/templates/sshd.j2
+++ b/roles/pam_sshd/templates/loginnodes_sshd.j2
@@ -4,7 +4,7 @@ auth       substack     password-auth
 auth       include      postlogin
 # Used with polkit to reauthorize users in remote sessions
 -auth      optional     pam_reauthorize.so prepare
-account [success=1 default=ignore] pam_succeed_if.so quiet user ingroup systems
+account    sufficient   pam_access.so
 account    required     pam_nologin.so
 account    include      password-auth
 password   include      password-auth