Debian README for libpam-net
============================

To use libpam-net on Debian simply run `pam-auth-update` after installing it and
select 'Create empty network namespace on login' and/or 'Join per-user network
namespace on login'. You can also use:

    $ pam-auth-update --enable libpam-net-newnet libpam-net-usernet

to do so directly on the command line. See pam-auth-update(8) for more details.

This will enable libpam-net for both interactive and non-interactive
sessions. For example both ssh logins and processes run through cron(8) will be
affected.

To enable libpam-net for a given user you should add them to the corresponding
group. For example:

    $ adduser someuser newnet

means whenever 'someuser' logs in they will be placed in an empty network
namespace.

On the other hand:

    $ adduser someotheruser usernet

will place 'someotheruser' into a ip-netns(8) called 'someotheruser' on
login. If this netns does not exist yet it is created. However the idea is that
you, the administrator, will set up the netns beforehand.

Note: When a user is in both the 'newnet' and 'usernet' groups and both PAM
modules are active 'usernet' will take precedence.

We do this by giving the 'libpam-net-newnet' PAM profile a higher priority than
'libpam-net-usernet'. Though this sounds counterintuitive it is correct since
the priority determines which entry comes first in `/etc/pam.d/common-*` but the
last entry will take precedence as they are processed top to bottom.

 -- Daniel Gröber <dxld@darkboxed.org>, Sun, 30 Sep 2018 00:18:25 +0200