-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathpam_newnet.8.html
129 lines (104 loc) · 3.12 KB
/
pam_newnet.8.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
Content-type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of PAM_NEWNET</TITLE>
</HEAD><BODY>
<H1>PAM_NEWNET</H1>
Section: Maintenance Commands (8)<BR>Updated: October 5, 2019<BR><A HREF="#index">Index</A>
<A HREF="/#/man/index">Return to Main Contents</A><HR>
<A NAME="lbAB"> </A>
<H2>NAME</H2>
pam_newnet - create a new network namespace at login
<A NAME="lbAC"> </A>
<H2>SYNOPSIS</H2>
<B>pam_newnet.so</B>
<P>
<A NAME="lbAD"> </A>
<H2>DESCRIPTION</H2>
The pam_newnet PAM module creates a new network namespace at login for users in the
<I>newnet</I> group.
<P>
Users in the <I>newnet</I> group can log-in through a
network connection (e.g. by ssh) but their processes cannot communicate.
The only interface they can see is the localhost of the namespace created
at login time.
<P>
When pam_newnet is used together with a specific <B><A HREF="/#/man/man1/cado.1.html">cado</A>(1)</B> configuration
users can configure their own networking services. (see <A HREF="https://github.com/rd235/cado)">https://github.com/rd235/cado)</A>
<P>
The nsutils tools, and more specfically <B><A HREF="/#/man/man1/netnsjoin.1.html">netnsjoin</A>(1)</B>, allow users to
assign placeholders to keep namespaces alive, assign meaningful tags for an easier management,
and later join any of their own namespaces (see <A HREF="https://github.com/rd235/nsutils)">https://github.com/rd235/nsutils)</A>
<P>
<A NAME="lbAE"> </A>
<H2>OPTIONS</H2>
<P>
<B>group=</B><B></B><I>groupname</I>
<DL COMPACT><DT><DD>
the module operates on users in the group <I>groupname</I> instead of <I>newnet</I>.
</DL>
<P>
<B>lodown</B>
<DL COMPACT><DT><DD>
leave the localhost <I>lo</I> interface in the state DOWN.
</DL>
<P>
<A NAME="lbAF"> </A>
<H2>RETURN VALUES</H2>
<P>
PAM_IGNORE
<DL COMPACT><DT><DD>
User does not belong to the <I>newnet</I> group.
</DL>
<P>
PAM_ABORT
<DL COMPACT><DT><DD>
Error in retrieving the user id or in the namespace creation.
</DL>
<P>
PAM_SUCCESS
<DL COMPACT><DT><DD>
Success.
</DL>
<A NAME="lbAG"> </A>
<H2>EXAMPLES</H2>
<P>
Add the following lines to
/etc/pam.d/sshd
or /etc/pam.d/login
<P>
<DL COMPACT><DT><DD>
session required pam_newnet.so
<P>
session required pam_newnet.so group=lonet lodown
</DL>
<P>
<A NAME="lbAH"> </A>
<H2>SEE ALSO</H2>
<P>
<B><A HREF="/#/man/man5/pam.conf.5.html">pam.conf</A></B>(5),
<B><A HREF="/#/man/man5/pam.d.5.html">pam.d</A></B>(5),
<B><A HREF="/#/man/man7/pam.7.html">pam</A></B>(7)
<A NAME="lbAI"> </A>
<H2>AUTHOR</H2>
<P>
pam_newnet was written by Renzo Davoli and Eduard Caizer, University of Bologna
<P>
<HR>
<A NAME="index"> </A><H2>Index</H2>
<DL>
<DT><A HREF="#lbAB">NAME</A><DD>
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT><A HREF="#lbAE">OPTIONS</A><DD>
<DT><A HREF="#lbAF">RETURN VALUES</A><DD>
<DT><A HREF="#lbAG">EXAMPLES</A><DD>
<DT><A HREF="#lbAH">SEE ALSO</A><DD>
<DT><A HREF="#lbAI">AUTHOR</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 15:22:08 GMT, November 27, 2023
</BODY>
</HTML>