From e50173f3e10af96f9dda5b3d2b63832be793995b Mon Sep 17 00:00:00 2001
From: iris <iris@hyperhive>
Date: Wed, 20 May 2026 20:28:32 +0200
Subject: [PATCH] weston-vnc: fix PAM service name (weston-remote-access, not
 weston)

weston calls pam_start("weston-remote-access", ...) in libweston/auth.c.
The previous security.pam.services.weston entry created /etc/pam.d/weston
which was never consulted, so PAM fell back to the system default and
rejected all credentials. Renaming to weston-remote-access makes
pam_permit.so actually take effect.

Fixes #92
---
 nix/templates/weston-vnc.nix | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/nix/templates/weston-vnc.nix b/nix/templates/weston-vnc.nix
index e002ba7..5dc5336 100644
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@@ -59,9 +59,13 @@
   config = lib.mkIf config.hyperhive.gui.enable {
     # neatvnc 0.9 always calls the PAM auth callback (weston_authenticate_user)
     # for Apple-DH (type 30), regardless of weston.ini auth-method=none.
-    # pam_permit.so makes the "weston" PAM service accept any credentials,
-    # so the browser's empty Apple-DH credentials always pass.
-    security.pam.services.weston.text = ''
+    # pam_permit.so makes the PAM service accept any credentials so the
+    # browser's empty Apple-DH credentials always pass.
+    #
+    # The service name is "weston-remote-access" — that is the literal string
+    # passed to pam_start() inside libweston (libweston/auth.c). Using "weston"
+    # instead silently falls back to the system default and rejects auth.
+    security.pam.services."weston-remote-access".text = ''
       auth     sufficient pam_permit.so
       account  sufficient pam_permit.so
       session  sufficient pam_permit.so