diff --git a/etc/default.nix b/etc/default.nix
index 6614b612423..46874f162ba 100644
--- a/etc/default.nix
+++ b/etc/default.nix
@@ -2,15 +2,32 @@
 
 let 
 
+
   optional = option: file:
     if config.get option then [file] else [];
 
+
+  # !!! ugh, these files shouldn't be created here.
+    
+    
   envConf = pkgs.writeText "environment" "
     PATH=${systemPath}/bin:${systemPath}/sbin:${pkgs.openssh}/bin
     NIX_REMOTE=daemon
-  " /* ${pkgs.openssh}/bin is a hack to get remote scp to work */; 
+  " /* ${pkgs.openssh}/bin is a hack to get remote scp to work */;
+
+
+  # Don't indent this file!
+  pamConsoleHandlers = pkgs.writeText "console.handlers" "
+console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
+${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
+${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
+";
+
+  pamConsolePerms = ./security/console.perms;
+
 
 in
+
     
 import ../helpers/make-etc.nix {
   inherit (pkgs) stdenv;
@@ -126,15 +143,17 @@ import ../helpers/make-etc.nix {
   # A bunch of PAM configuration files for various programs.
   ++ (map
     (program:
+      let isLDAPEnabled = config.get ["users" "ldap" "enable"]; in
       { source = pkgs.substituteAll {
           src = ./pam.d + ("/" + program);
-          inherit (pkgs) pam_unix2;
+          inherit (pkgs) pam_unix2 pam_console;
           pam_ldap =
-            if config.get ["users" "ldap" "enable"]
+            if isLDAPEnabled
             then pkgs.pam_ldap
             else "/no-such-path";
           inherit (pkgs.xorg) xauth;
-          inherit envConf;
+          inherit envConf pamConsoleHandlers;
+          isLDAPEnabled = if isLDAPEnabled then "" else "#";
         };
         target = "pam.d/" + program;
       }
@@ -150,6 +169,7 @@ import ../helpers/make-etc.nix {
       "useradd"
       "chsh"
       "common"
+      "common-console" # shared stuff for interactive local sessions
     ]
   )
 
diff --git a/etc/pam.d/common b/etc/pam.d/common
index ad460a0feb9..146dc1c0e16 100644
--- a/etc/pam.d/common
+++ b/etc/pam.d/common
@@ -1,13 +1,13 @@
-auth     sufficient     @pam_ldap@/lib/security/pam_ldap.so 
+@isLDAPEnabled@  auth     sufficient     @pam_ldap@/lib/security/pam_ldap.so 
 auth     sufficient     @pam_unix2@/lib/security/pam_unix2.so
 auth     required       pam_deny.so
 
-account  optional       @pam_ldap@/lib/security/pam_ldap.so 
+@isLDAPEnabled@  account  optional       @pam_ldap@/lib/security/pam_ldap.so 
 account  required       @pam_unix2@/lib/security/pam_unix2.so
 
-password sufficient     @pam_ldap@/lib/security/pam_ldap.so 
+@isLDAPEnabled@  password sufficient     @pam_ldap@/lib/security/pam_ldap.so 
 password sufficient     @pam_unix2@/lib/security/pam_unix2.so nullok
 
-session  optional       @pam_ldap@/lib/security/pam_ldap.so 
+@isLDAPEnabled@  session  optional       @pam_ldap@/lib/security/pam_ldap.so 
 session  required       @pam_unix2@/lib/security/pam_unix2.so
 session  optional       pam_env.so envfile=@envConf@
diff --git a/etc/pam.d/common-console b/etc/pam.d/common-console
new file mode 100644
index 00000000000..1534ac15401
--- /dev/null
+++ b/etc/pam.d/common-console
@@ -0,0 +1 @@
+session  optional       @pam_console@/lib/security/pam_console.so debug handlersfile=@pamConsoleHandlers@
diff --git a/etc/pam.d/login b/etc/pam.d/login
index 50f3cc5ce60..dac4fec866c 100644
--- a/etc/pam.d/login
+++ b/etc/pam.d/login
@@ -2,3 +2,4 @@ auth     include        common
 account  include        common
 password include        common
 session  include        common
+session  include        common-console
diff --git a/etc/pam.d/slim b/etc/pam.d/slim
index 50f3cc5ce60..dac4fec866c 100644
--- a/etc/pam.d/slim
+++ b/etc/pam.d/slim
@@ -2,3 +2,4 @@ auth     include        common
 account  include        common
 password include        common
 session  include        common
+session  include        common-console
diff --git a/etc/security/console.perms b/etc/security/console.perms
new file mode 100644
index 00000000000..c5d9b4aa693
--- /dev/null
+++ b/etc/security/console.perms
@@ -0,0 +1,79 @@
+# This file determines the permissions that will be given to priviledged
+# users of the console at login time, and the permissions to which to
+# revert when the users log out.
+
+# format is:
+#   <class>=list of regexps specifying consoles or globs specifying files
+#   file-glob|<class> perm dev-regex|<dev-class> \
+#     revert-mode revert-owner[.revert-group]
+# the revert-mode, revert-owner, and revert-group are optional, and default
+# to 0600, root, and root, respectively.
+#
+# For more information:
+# man 5 console.perms
+
+# file classes -- these are regular expressions
+<console>=/dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
+<xconsole>=:[0-9]\.[0-9] :[0-9]
+
+# device classes -- these are shell-style globs
+<floppy>=/dev/fd[0-1]* \
+	 /dev/floppy* /mnt/floppy*
+<sound>=/dev/dsp* /dev/audio* /dev/midi* \
+	/dev/mixer* /dev/sequencer* \
+	/dev/sound/* /dev/beep \
+	/dev/snd/* 
+<cdrom>=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*
+<pilot>=/dev/pilot
+<jaz>=/mnt/jaz*
+<zip>=/mnt/pocketzip* /mnt/zip* /dev/zip*
+<ls120>=/dev/ls120 /mnt/ls120*
+<scanner>=/dev/scanner* /dev/usb/scanner*
+<rio500>=/dev/usb/rio500
+<camera>=/mnt/camera* /dev/usb/dc2xx* /dev/usb/mdc800*
+<memstick>=/mnt/memstick*
+<flash>=/mnt/flash* /dev/flash*
+<diskonkey>=/mnt/diskonkey*
+<rem_ide>=/mnt/microdrive*
+<fb>=/dev/fb /dev/fb[0-9]* \
+     /dev/fb/*
+<kbd>=/dev/kbd
+<joystick>=/dev/js[0-9]*
+<v4l>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* \
+      /dev/video/*
+<gpm>=/dev/gpmctl
+<dri>=/dev/nvidia* /dev/3dfx* /dev/dri/card*
+<mainboard>=/dev/apm_bios
+<pmu>=/dev/pmu
+<bluetooth>=/dev/rfcomm*
+<raw1394>=/dev/raw1394
+<irda>=/dev/ircomm*
+
+# permission definitions
+<console>  0660 <floppy>
+<console>  0600 <sound>
+<console>  0600 <cdrom>
+<console>  0600 <pilot>
+<console>  0600 <jaz>
+<console>  0600 <zip>
+<console>  0600 <ls120>
+<console>  0600 <scanner>
+<console>  0600 <camera>
+<console>  0600 <memstick>
+<console>  0600 <flash>
+<console>  0600 <diskonkey>
+<console>  0600 <rem_ide>
+<console>  0600 <fb>
+<console>  0600 <kbd>
+<console>  0600 <joystick>
+<console>  0600 <v4l>
+<console>  0700 <gpm>
+<console>  0600 <mainboard>
+<console>  0600 <rio500>
+<console>  0600 <pmu>
+<console>  0600 <bluetooth>
+<console>  0600 <raw1394>
+<console>  0600 <irda>
+
+<xconsole> 0600 /dev/console
+<console>  0600 <dri>
diff --git a/system/activate-configuration.sh b/system/activate-configuration.sh
index 3dbae8faec0..cd80ec502a7 100644
--- a/system/activate-configuration.sh
+++ b/system/activate-configuration.sh
@@ -49,8 +49,9 @@ ln -sfn @bash@/bin/sh $mountPoint/bin/sh
 echo @modprobe@/sbin/modprobe > /proc/sys/kernel/modprobe
 
 
-# Various log directories.
+# Various log/runtime directories.
 mkdir -m 0755 -p /var/run
+mkdir -m 0755 -p /var/run/console # for pam_console
 
 touch /var/run/utmp # must exist
 chmod 644 /var/run/utmp