diff --git a/system/etc.nix b/system/etc.nix
index d0978353d108..d29c869ba976 100644
--- a/system/etc.nix
+++ b/system/etc.nix
@@ -97,6 +97,7 @@ import ../helpers/make-etc.nix {
             if config.get ["users" "ldap" "enable"]
             then pkgs.pam_ldap
             else "/no-such-path";
+          inherit (pkgs.xorg) xauth;
         };
         target = "pam.d/" + program;
       }
diff --git a/system/etc/pam.d/su b/system/etc/pam.d/su
index 5fbdc16359a9..ca777155cc63 100644
--- a/system/etc/pam.d/su
+++ b/system/etc/pam.d/su
@@ -3,3 +3,4 @@ auth     include        common-auth
 account  include        common-account
 password include        common-password
 session  include        common-session
+session  optional       pam_xauth.so xauthpath=@xauth@/bin/xauth systemuser=99