diff --git a/modules/programs/shadow.nix b/modules/programs/shadow.nix
index 81286d9bb5c..68e9fe38f5b 100644
--- a/modules/programs/shadow.nix
+++ b/modules/programs/shadow.nix
@@ -75,7 +75,8 @@ in
     security.pam.services =
       [ { name = "chsh"; rootOK = true; }
         { name = "chfn"; rootOK = true; }
-        { name = "su"; rootOK = true; forwardXAuth = true; }
+        # Enable ‘ownDevices’ for the services/x11/display-managers/auto.nix module.
+        { name = "su"; rootOK = true; ownDevices = true; forwardXAuth = true; }
         { name = "passwd"; }
         # Note: useradd, groupadd etc. aren't setuid root, so it
         # doesn't really matter what the PAM config says as long as it
diff --git a/modules/services/x11/display-managers/auto.nix b/modules/services/x11/display-managers/auto.nix
index e2b1ee42e83..7518dc350f7 100644
--- a/modules/services/x11/display-managers/auto.nix
+++ b/modules/services/x11/display-managers/auto.nix
@@ -52,6 +52,11 @@ in
           '';
       };
 
+    # The ConsoleKit PAM connector launches a local session, but it's
+    # not set as "active" (maybe because x11-display-device is not
+    # set).  Launching a child session seems to fix that.
+    services.xserver.displayManager.forceCKSession = true;
+    
   };
 
 }
diff --git a/modules/services/x11/display-managers/default.nix b/modules/services/x11/display-managers/default.nix
index e17cb541af6..47743d436a5 100644
--- a/modules/services/x11/display-managers/default.nix
+++ b/modules/services/x11/display-managers/default.nix
@@ -53,8 +53,8 @@ let
 
       # Start a ConsoleKit session so that we get ownership of various
       # devices.
-      if test -z "$XDG_SESSION_COOKIE"; then
-          exec ${pkgs.consolekit}/bin/ck-launch-session "$0" "$sessionType"
+      if [ \( -z "$XDG_SESSION_COOKIE" -o -n "${toString cfg.displayManager.forceCKSession}" \) -a -z "$CK_STARTED" ]; then
+          CK_STARTED=1 exec ${pkgs.consolekit}/bin/ck-launch-session "$0" "$sessionType"
       fi
 
       # Handle being called by kdm.
@@ -162,6 +162,12 @@ in
         apply = toString;
       };
 
+      forceCKSession = mkOption {
+        internal = true;
+        default = false;
+        description = "Whether to force launching of a ConsoleKit session.";
+      };
+
       session = mkOption {
         default = [];
         example = [
diff --git a/modules/services/x11/display-managers/slim.nix b/modules/services/x11/display-managers/slim.nix
index bc1fceeefc5..fb6f1de9d5a 100644
--- a/modules/services/x11/display-managers/slim.nix
+++ b/modules/services/x11/display-managers/slim.nix
@@ -1,4 +1,4 @@
-{pkgs, config, ...}:
+{ config, pkgs, ... }:
 
 with pkgs.lib;
 
@@ -106,8 +106,17 @@ in
 
     # Allow null passwords so that the user can login as root on the
     # installation CD.
-    security.pam.services = [ { name = "slim"; allowNullPassword = true; } ];
+    security.pam.services = singleton
+      { name = "slim";
+        allowNullPassword = true;
+        ownDevices = true;
+      };
 
+    # The ConsoleKit PAM connector launches a local session, but it's
+    # not set as "active" (maybe because x11-display-device is not
+    # set).  Launching a child session seems to fix that.
+    services.xserver.displayManager.forceCKSession = true;
+    
   };
 
 }