diff --git a/g5k-postinstall b/g5k-postinstall
index d3fc4ab1cbd1bd2a756a95486e5dbb4eda5125da..649ca4c31c5b4e00220df5a13b5865589ca03c68 100755
--- a/g5k-postinstall
+++ b/g5k-postinstall
@@ -880,7 +880,16 @@ end
 
 if $restrictuser == 'std' and ENV['KADEPLOY_DEPLOY_LABEL'] == "KDPL_PROD_disk0"
   $logger.info "Std environment deployed on sda2: restricting to oar, root"
+  # The following line write to /etc/security/access.conf, disallowing every users
+  # and allowing only oar and root.
+  # The file /etc/oar/pam_activated is used to enable pam_oar_adopt PAM module,
+  # in std environment only, allowing direct ssh connections to nodes (under
+  # certain conditions).
+  # pam_oar_adopt could have handled the case of oar and root, by always allowing
+  # them to connect. However, we thought that it is wiser to let pam_access do it
+  # instead of our custom script launched via pam_exec
   accessconf_auth(['oar', 'root'])
+  FileUtils.touch("#{DSTDIR}/etc/oar/pam_activated")
 elsif $restrictuser =~ /^login:/
   user = ["#{$restrictuser.split(':')[1]}"]
   $logger.info "Restricting LDAP accounts to #{user}"