DOKK / manpages / debian 12 / libpam-net / pam_usernet.8.en
PAM_USERNET(8) System Manager's Manual PAM_USERNET(8)

pam_usernet - join the user own network namespace at login

pam_usernet.so

The pam_usernet PAM module allow each user in usernet group to have their own network namespace.

If a network namespace having the same name as the username exists, pam runs the user shell in that namespace. If such a namespace does does not exist, it is created during the login process.

The system administrator can create a network namespace for each user in usernet group. Each namespace must be named after each username. Users will get their own network namespace at login.

When pam_usernet is used together with a specific cado(1) configuration users can configure their own networking services. (see https://github.com/rd235/cado)

group=groupname

the module operates on users in the group groupname instead of newnet.

lodown

leave the localhost lo interface in the state DOWN.

rootshared

Leave the root filesystem / as shared so mounts can propagate out to the parent namespace. Warning: this feature can create security vulnerabilities if not properly used.

PAM_IGNORE

User does not belong to the usernet group.

PAM_ABORT

Error in retrieving the user id or in the namespace creation/joining.

PAM_SUCCESS

Success.

Add the following line to /etc/pam.d/sshd or /etc/pam.d/login

session required pam_usernet.so

pam.conf(5), pam.d(5), pam(7)

pam_usernet was written by Renzo Davoli and Eduard Caizer, University of Bologna

August 17, 2016 VirtualSquare Labs