How does PAM work for GDM remote displays?

ywh233 · February 3, 2026, 9:31pm

Hi there!

I’m working on making Chrome Remote Desktop work with GDM remote login following Joan’s blog.

One issue I’ve run into is that, our company’s /etc/security/access.conf file blocks the remote display’s greeter session from being created since we have +:Debian-gdm:LOCAL configured. The symptom is that, CreateRemoteDisplay would successfully create the RemoteDisplay object, but the SessionId property remains blank.

Changing +:Debian-gdm:LOCAL to +:Debian-gdm:ALL would work, but we are not super comfortable with this change. One thing we have noticed is that using +:Debian-gdm:0.0.0.0 and even +:Debian-gdm:0.0.0.0/32 would work. By running loginctl show-session GREETER_SESSION, I’m getting the following:

...
Remote=yes
RemoteHost=0.0.0.0
...

So my questions are:

Why is the RemoteHost 0.0.0.0 for remote displays, and what does 0.0.0.0 mean?
How does GDM trigger the PAM check for remote displays?
Is it possible for us to modify access.conf such that we are only opening up Debian-gdm for GDM remote displays? Ideally we would also want to restrict this to remote displays created by Chrome Remote Desktop, but assume that this is challenging to do.

Thanks!

ywh233 · February 3, 2026, 9:41pm

Some additional questions from our security engineer:

Since these sessions are technically triggered by a local root process via Unix Domain Sockets, should they ideally be treated as LOCAL by systemd-logind?
Also is there a way for a D-Bus caller (the CRD process) to provide a specific hostname/string to GDM so that PAM sees a more descriptive origin than 0.0.0.0?