diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index 2ca3a5f39c4dd2c6b7dd98ed5c2786e806356372..8c396b4ca132ecac1a095771cc0a9f77a08c00bc 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -15,8 +15,9 @@
 # Default: false
 
 class base::ssh(
-  $pam_afs = true,
-  $pam_duo = false
+  $pam_afs   = true,
+  $pam_duo   = false,
+  $pam_slurm = false
 ){
 
   # Install the openssh server package.
@@ -33,10 +34,18 @@ class base::ssh(
     }
   }
 
+  # If we are using SLURM, install the module.
+  if $pam_slurm {
+    package { 'libpam-slurm':
+      ensure => installed,
+    }
+  }
+
   # Setup /etc/pam.d/sshd to require Duo on regular logins.
   class { 'ssh::pam':
-    pam_afs => $pam_afs,
-    pam_duo => $pam_duo,
+    pam_afs   => $pam_afs,
+    pam_duo   => $pam_duo,
+    pam_slurm => $pam_slurm,
   }
 
   # Our default ssh rules allow connections from all of campus.  This is
diff --git a/manifests/ssh/pam.pp b/manifests/ssh/pam.pp
index b9a8dd77ab22978da8dc399a119698344a7e0ff7..53ea1fd7b7dc4a334d1f21428cd1730753109c52 100644
--- a/manifests/ssh/pam.pp
+++ b/manifests/ssh/pam.pp
@@ -6,8 +6,9 @@
 # Currently, only Debian is supported when $pam_duo is true.
 
 class ssh::pam (
-  $pam_afs = true,
-  $pam_duo = false
+  $pam_afs   = true,
+  $pam_duo   = false,
+  $pam_slurm = false
 ){
 
   # Configure PAM for sshd on RHEL 6.
diff --git a/templates/ssh/etc/pam.d/sshd.erb b/templates/ssh/etc/pam.d/sshd.erb
index 5625053d067949c4ae5c958e4fb50ef1a9348f2a..7e00d600b74b29d56e9a2831d86a8db3141c927d 100644
--- a/templates/ssh/etc/pam.d/sshd.erb
+++ b/templates/ssh/etc/pam.d/sshd.erb
@@ -30,7 +30,15 @@ account    required     pam_nologin.so
 # Uncomment and edit /etc/security/access.conf if you need to set complex
 # access limits that are hard to express in sshd_config.
 # account  required     pam_access.so
+<% if @pam_slurm %>
 
+# Allow access to SLURM compute nodes only if a user has an active job running
+# there, but allow access to administrators using either their normal or .root
+# identities.
+
+account   [success=1 default=ignore]     pam_listfile.so item=user sense=allow file=/etc/security/rcadmins_all onerr=fail
+account   required                       /lib/security/pam_slurm.so
+<% end %>
 # Standard Un*x authorization.
 @include common-account