diff --git a/nix/templates/weston-vnc.nix b/nix/templates/weston-vnc.nix
index e17b151..bc9881e 100644
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@@ -106,11 +106,19 @@
 
           # neatvnc ≥ 0.9 advertises RSA-AES and Apple-DH security types
           # when auth is compiled in. The browser client handles Apple-DH
-          # (type 30) with empty credentials (weston auth-method=none
-          # accepts any credentials). --disable-transport-layer-security
-          # prevents the VeNCrypt TLS wrapper over the VNC-over-WebSocket
-          # relay; plain auth types are used directly.
+          # (type 30) with empty credentials.
+          #
+          # weston.ini [vnc] auth-method=none: weston uses an always-accept
+          # auth callback instead of PAM. Without this, weston defaults to
+          # PAM authentication which rejects empty credentials (SecurityResult=1).
+          #
+          # --disable-transport-layer-security prevents the VeNCrypt TLS
+          # wrapper; plain auth types (incl. type 30) are advertised directly.
+          WESTON_INI=$(${pkgs.coreutils}/bin/mktemp /tmp/weston-XXXXXX.ini)
+          ${pkgs.coreutils}/bin/printf '[vnc]\nauth-method=none\n' > "$WESTON_INI"
+
           exec ${pkgs.weston}/bin/weston \
+            --config="$WESTON_INI" \
             --backend=vnc-backend.so \
             --renderer=pixman \
             --port="$VNC_PORT" \