diff --git a/hosts/common/polyunfill.nix b/hosts/common/polyunfill.nix
index d823c3a3..4c2cd02c 100644
--- a/hosts/common/polyunfill.nix
+++ b/hosts/common/polyunfill.nix
@@ -3,18 +3,30 @@
 { lib, ... }:
 {
   # remove a few items from /run/wrappers we don't need.
-  # these were populated by <repo:nixos/nixpkgs:nixos/modules/programs/shadow.nix>
   options.security.wrappers = lib.mkOption {
     apply = lib.filterAttrs (name: _: !(builtins.elem name [
+      # wrappers from <repo:nixos/nixpkgs:nixos/modules/programs/shadow.nix>
       "newgidmap"
       "newgrp"
       "newuidmap"
       # "sg"
       # "su"
+      # wrappers from <repo:nixos/nixpkgs:nixos/modules/security/pam.nix>
+      # may need to patch e.g. `pam` package (pam_unix) to not refer to unix_chkpwd by path
+      "unix_chkpwd"
     ]));
   };
 
   config = {
+    nixpkgs.overlays = [(self: super: {
+      pam = super.pam.overrideAttrs (upstream: {
+        postPatch = (if upstream.postPatch != null then upstream.postPatch else "") + ''
+          substituteInPlace modules/pam_unix/Makefile.am --replace-fail \
+            "/run/wrappers/bin/unix_chkpwd" "$out"
+        '';
+      });
+    })];
+
     # disable non-required packages like nano, perl, rsync, strace
     environment.defaultPackages = [];