Commits (5)
Debian README for libpam-net
To use libpam-net on Debian simply run `pam-auth-update` after installing it and
select 'Create empty network namespace on login' and/or 'Join per-user network
namespace on login'. You can also use:
$ pam-auth-update --enable libpam-net-newnet libpam-net-usernet
to do so directly on the command line. See pam-auth-update(8) for more details.
This will enable libpam-net for both interactive and non-interactive
sessions. For example both ssh logins and processes run through cron(8) will be
To enable libpam-net for a given user you should add them to the corresponding
group. For example:
$ adduser someuser newnet
means whenever 'someuser' logs in they will be placed in an empty network
On the other hand:
$ adduser someotheruser usernet
will place 'someotheruser' into a ip-netns(8) called 'someotheruser' on
login. If this netns does not exist yet it is created. However the idea is that
you, the administrator, will set up the netns beforehand.
Note: When a user is in both the 'newnet' and 'usernet' groups and both PAM
modules are active 'usernet' will take precedence.
We do this by giving the 'libpam-net-newnet' PAM profile a higher priority than
'libpam-net-usernet'. Though this sounds counterintuitive it is correct since
the priority determines which entry comes first in `/etc/pam.d/common-*` but the
last entry will take precedence as they are processed top to bottom.
-- Daniel Gröber <dxld@darkboxed.org>, Sun, 30 Sep 2018 00:18:25 +0200
debian/pam-configs/* usr/share/pam-configs/
Name: Create empty network namespace on login (for certain users)
Default: no
Priority: 10
Session-Type: Additional
optional pam_newnet.so
Name: Join per-user network namespace on login (for certain users)
Default: no
Priority: 0
Session-Type: Additional
optional pam_usernet.so
......@@ -18,4 +18,4 @@
dh $@
dh_auto_configure -- --with-security-dir=/lib/$(DEB_HOST_MULTIARCH)/security
dh_auto_configure -- --with-libsecuritydir=/lib/$(DEB_HOST_MULTIARCH)/security