What do you want from PAM (`security.pam`) in NixOS?

It’s just a small wish…

As a user I really like using security.pam.sshAgentAuth.
This makes authenticating on “sudo related stuff” really effortless (depends on how you configure your SSH_AUTH_SOCK I guess) weather it’s local or remote ssh!
However this falls short whenever I do a systemd related authentication like systemctl restart xyz.service. Now it’s prompting me to type a password instead a PAM module kicking in and now I feel like I’m back to before knowing PAM!
I know that I can add sudo in front of the command to fix that but … I just do not enjoy a password prompt (especially if it’s in the terminal itself like in case of a SSHed remote machine).

Before I wish this can be better, I may be not aware of how to do this in the current form although I tried to find a way and couldn’t.

iirc systemd uses polkit when it gives you that prompt so it might be unrelated to PAM? I’m not sure how polkit would interact with ssh agent auth though.

Just came across this thread googling the idea, but one thing I would love to see packaged in nixpkgs is pam-beacon, GitHub - muesli/pam-beacon: PAM module for multi-factor authentication with Bluetooth Devices & Beacons , which currently only appears to be packaged in the AUR. Went down the rabbit hole looking at using my android phone, which can function as a Bluetooth security key, so I can have the convenience of auto-unlock, but the security of a password or physical security key so I’m not just leaving the system unlocked.