+* if pam_systemd is invoked by su from a process that is outside of a
+ any session we should probably just become a NOP, since that's
+ usually not a real user session but just some system code that just
+ needs setuid().
+
+* add a pam module that passes the hdd passphrase into the PAM stack and then expires it, for usage by gdm auto-login.
+
+* add a pam module that on password changes updates any LUKS slot where the password matches
+