Depending on budget, you could use some sort of token card like SecurID to do the OS auth -- this way the students that are authorized to use the system each get assigned a card and only the person holding the card (and knowing the PIN) can log into the system. These systems and the cards have really come down in price over the years and may be well within your budget. If a break in does happen it can be tracked down to the holder of the card (unless it was stolen in which case you should have a rule about reporting the card stolen).

-Waswas