DOKK / manpages / debian 12 / libpam-net / pam_newnet.8.en
PAM_NEWNET(8) System Manager's Manual PAM_NEWNET(8)

pam_newnet - create a new network namespace at login

pam_newnet.so

The pam_newnet PAM module creates a new network namespace at login for users in the newnet group.

Users in the newnet group can log-in through a network connection (e.g. by ssh) but their processes cannot communicate. The only interface they can see is the localhost of the namespace created at login time.

When pam_newnet is used together with a specific cado(1) configuration users can configure their own networking services. (see https://github.com/rd235/cado)

The nsutils tools, and more specfically netnsjoin(1), allow users to assign placeholders to keep namespaces alive, assign meaningful tags for an easier management, and later join any of their own namespaces (see https://github.com/rd235/nsutils)

group=groupname

the module operates on users in the group groupname instead of newnet.

lodown

leave the localhost lo interface in the state DOWN.

PAM_IGNORE

User does not belong to the newnet group.

PAM_ABORT

Error in retrieving the user id or in the namespace creation.

PAM_SUCCESS

Success.

Add the following lines to /etc/pam.d/sshd or /etc/pam.d/login

session required pam_newnet.so

session required pam_newnet.so group=lonet lodown

pam.conf(5), pam.d(5), pam(7)

pam_newnet was written by Renzo Davoli and Eduard Caizer, University of Bologna

October 5, 2019 VirtualSquare Labs