diff --git a/hosts/by-name/servo/services/gitea.nix b/hosts/by-name/servo/services/gitea.nix
index 2ee43e1b..e7c70a4e 100644
--- a/hosts/by-name/servo/services/gitea.nix
+++ b/hosts/by-name/servo/services/gitea.nix
@@ -90,6 +90,8 @@
     ];
   };
 
+  services.openssh.settings.UsePAM = true;  #< required for `git` user to authenticate
+
   # hosted git (web view and for `git <cmd>` use
   # TODO: enable publog?
   services.nginx.virtualHosts."git.uninsane.org" = {
diff --git a/hosts/common/ssh.nix b/hosts/common/ssh.nix
index 55f70939..de627e10 100644
--- a/hosts/common/ssh.nix
+++ b/hosts/common/ssh.nix
@@ -25,7 +25,7 @@ in
     enable = true;
     settings.PermitRootLogin = "no";
     settings.PasswordAuthentication = false;
-    settings.UsePAM = false;  #< notably, disables systemd session tracking; incidentally disables pam_mount, etc.
+    settings.UsePAM = lib.mkDefault false;  #< notably, disables systemd session tracking; incidentally disables pam_mount, etc.
   };
   sane.ports.ports."22" = {
     protocol = [ "tcp" ];