1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
Debian README for libpam-net
============================
To use libpam-net on Debian simply run `pam-auth-update` after installing it and
select 'Create empty network namespace on login' and/or 'Join per-user network
namespace on login'. You can also use:
$ pam-auth-update --enable libpam-net-newnet libpam-net-usernet
to do so directly on the command line. See pam-auth-update(8) for more details.
This will enable libpam-net for both interactive and non-interactive
sessions. For example both ssh logins and processes run through cron(8) will be
affected.
To enable libpam-net for a given user you should add them to the corresponding
group. For example:
$ adduser someuser newnet
means whenever 'someuser' logs in they will be placed in an empty network
namespace.
On the other hand:
$ adduser someotheruser usernet
will place 'someotheruser' into a ip-netns(8) called 'someotheruser' on
login. If this netns does not exist yet it is created. However the idea is that
you, the administrator, will set up the netns beforehand.
Note: When a user is in both the 'newnet' and 'usernet' groups and both PAM
modules are active 'usernet' will take precedence.
We do this by giving the 'libpam-net-newnet' PAM profile a higher priority than
'libpam-net-usernet'. Though this sounds counterintuitive it is correct since
the priority determines which entry comes first in `/etc/pam.d/common-*` but the
last entry will take precedence as they are processed top to bottom.
-- Daniel Gröber <dxld@darkboxed.org>, Sun, 30 Sep 2018 00:18:25 +0200
|
