diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index b7a5d7131b57..242ce52bfb5b 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -597,6 +597,7 @@ let
           (map (rule: concatStringsSep " " (
             [ type rule.control rule.modulePath ]
             ++ map formatModuleArgument rule.args
+            ++ [ "# ${rule.name} (order ${toString rule.order})" ]
           )))
           (concatStringsSep "\n")
         ];
diff --git a/nixos/tests/pam/test_chfn.py b/nixos/tests/pam/test_chfn.py
index 4fd33447a543..3cfbb3908e9d 100644
--- a/nixos/tests/pam/test_chfn.py
+++ b/nixos/tests/pam/test_chfn.py
@@ -15,9 +15,10 @@ expected_lines = {
 }
 actual_lines = set(machine.succeed("cat /etc/pam.d/chfn").splitlines())
 
-missing_lines = expected_lines - actual_lines
-extra_lines = actual_lines - expected_lines
-non_functional_lines = set([line for line in extra_lines if (line == "" or line.startswith("#"))])
+stripped_lines = set([line.split("#")[0].rstrip() for line in actual_lines])
+missing_lines = expected_lines - stripped_lines
+extra_lines = stripped_lines - expected_lines
+non_functional_lines = set([line for line in extra_lines if line == ""])
 unexpected_functional_lines = extra_lines - non_functional_lines
 
 with subtest("All expected lines are in the file"):