diff --git a/nix/templates/weston-vnc.nix b/nix/templates/weston-vnc.nix
index e002ba7..5dc5336 100644
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@@ -59,9 +59,13 @@
   config = lib.mkIf config.hyperhive.gui.enable {
     # neatvnc 0.9 always calls the PAM auth callback (weston_authenticate_user)
     # for Apple-DH (type 30), regardless of weston.ini auth-method=none.
-    # pam_permit.so makes the "weston" PAM service accept any credentials,
-    # so the browser's empty Apple-DH credentials always pass.
-    security.pam.services.weston.text = ''
+    # pam_permit.so makes the PAM service accept any credentials so the
+    # browser's empty Apple-DH credentials always pass.
+    #
+    # The service name is "weston-remote-access" — that is the literal string
+    # passed to pam_start() inside libweston (libweston/auth.c). Using "weston"
+    # instead silently falls back to the system default and rejects auth.
+    security.pam.services."weston-remote-access".text = ''
       auth     sufficient pam_permit.so
       account  sufficient pam_permit.so
       session  sufficient pam_permit.so