NAME

       pam_newnet - create a new network namespace at login

SYNOPSIS

       pam_newnet.so

DESCRIPTION

       The pam_newnet PAM module creates a new network namespace at login for users in the newnet group.

       Users  in  the  newnet  group  can  log-in through a network connection (e.g. by ssh) but their processes
       cannot communicate.  The only interface they can see is the localhost of the namespace created  at  login
       time.

       When  pam_newnet  is  used  together  with a specific cado(1) configuration users can configure their own
       networking services. (see https://github.com/rd235/cado)

       The nsutils tools, and more  specfically  netnsjoin(1),  allow  users  to  assign  placeholders  to  keep
       namespaces  alive,  assign  meaningful  tags  for  an  easier management, and later join any of their own
       namespaces (see https://github.com/rd235/nsutils)

OPTIONS

       group=groupname
           the module operates on users in the group groupname instead of newnet.

       lodown
           leave the localhost lo interface in the state DOWN.

RETURN VALUES

       PAM_IGNORE
           User does not belong to the newnet group.

       PAM_ABORT
           Error in retrieving the user id or in the namespace creation.

       PAM_SUCCESS
           Success.

EXAMPLES

       Add the following lines to /etc/pam.d/sshd or /etc/pam.d/login

               session   required  pam_newnet.so

               session   required  pam_newnet.so group=lonet lodown

SEE ALSO

       pam.conf(5), pam.d(5), pam(7)

AUTHOR

       pam_newnet was written by Renzo Davoli and Eduard Caizer, University of Bologna

VirtualSquare Labs                               October 5, 2019                                   PAM_NEWNET(8)