From fceab658f44266ae420f90f962c97735f5223e1b Mon Sep 17 00:00:00 2001
From: iris <iris@hyperhive>
Date: Wed, 20 May 2026 19:56:31 +0200
Subject: [PATCH] weston-vnc: add pam_permit.so for weston service to accept
 any Apple-DH credentials

---
 nix/templates/weston-vnc.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/nix/templates/weston-vnc.nix b/nix/templates/weston-vnc.nix
index bc9881e..e002ba7 100644
--- a/nix/templates/weston-vnc.nix
+++ b/nix/templates/weston-vnc.nix
@@ -57,6 +57,16 @@
   };
 
   config = lib.mkIf config.hyperhive.gui.enable {
+    # neatvnc 0.9 always calls the PAM auth callback (weston_authenticate_user)
+    # for Apple-DH (type 30), regardless of weston.ini auth-method=none.
+    # pam_permit.so makes the "weston" PAM service accept any credentials,
+    # so the browser's empty Apple-DH credentials always pass.
+    security.pam.services.weston.text = ''
+      auth     sufficient pam_permit.so
+      account  sufficient pam_permit.so
+      session  sufficient pam_permit.so
+    '';
+
     systemd.services.weston = {
       description = "Weston Wayland compositor (VNC backend)";
       after = [ "network.target" ];