| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: libnss_himmelblau2 | Distribution: openSUSE Tumbleweed |
| Version: 1.2.0+git.0.6befefc | Vendor: openSUSE |
| Release: 1.1 | Build date: Thu Aug 7 16:29:19 2025 |
| Group: Productivity/Networking/Security | Build host: reproducible |
| Size: 860865 | Source RPM: himmelblau-1.2.0+git.0.6befefc-1.1.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://github.com/himmelblau-idm/himmelblau | |
| Summary: Azure Entra Id authentication NSS module | |
Himmelblau is an interoperability suite for Microsoft Azure Entra Id, which allows users to sign into a Linux machine using Azure Entra Id credentials.
GPL-3.0-or-later
* Thu Aug 07 2025 david.mulder@suse.com
- Update to version 1.2.0+git.0.6befefc:
* Version 1.2.0
* Fix Kerberos credential cache permissions; (bsc#1247735), (CVE-2025-54882)
* Set file owner and group before writing its content
* Ensure alias domains match when checking Intune device id
* Debian 12 doesn't support ConditionPathExists and notify-reload
* Write scripts policy to a readable directory
* Apply Intune policies right after enrollment
* Add more debug instrumentation
* Provide device_id to Intune enrollment if not cached
* Ensure nss cache directory is created during install
* Remove /var/cache/himmelblaud access from tasks daemon
* Resolve daemon startup absolute path warnings
* Version 1.1.0
* Delay Intune enrollment on Device Auth fail
* Do not leak the Intune IW service token in the logs
* Wed Jul 30 2025 david.mulder@suse.com
- Update to version 1.0.0+git.0.d01709b:
* Fix policy application
* Add remaining Linux password compliance policies
* Add custom compliance enforcement
* deps(rust): bump the all-cargo-updates group with 3 updates
* deps(rust): bump the all-cargo-updates group with 5 updates
* Add SLE15SP7 build target
* Add RHEL 10 build target
* Fix Intermittent auth issue AADSTSError 16000
* Remove old utf8proc dependency
* Add `fedora42` build target
* Handle PRT expiration and tie to offline auth
* Correctly delete the Hello keys on bad pin count
* Add ability to disable Hello PIN per-service
* Update NixOS support to 25.05
* Handle disabled device by attempting re-enrollment
* Always attempt confidential client creds for aad-tool
* Include HSM option defs in himmelblau.conf man page
* Update flake.nix
* Improve the aad-tool cache-clear command
* Add `mfaSshWorkaroundFlag` configuration option to Nix Flake.
* Add the ability to remove confidential client creds
* If bad PIN count is exceeded, delete the Hello key
* deps(rust): bump the all-cargo-updates group with 4 updates
* Add instructions for creating developer builds
* Fix GDM3 first time login password prompt
* Default HsmType should be soft
* Add himmelblaud to tss group for TPM startup
* Enforce strict order for the systemd units
* Update libhimmelblau and compact_jwt
* Fix builds w/tpm
* aad-tool Authentication flow improvements
* Filter out irrelevant debug in aad-tool
* Create a unified login experience for aad-tool
* Utilize confidential creds for aad-tool enumerate
* himmelblau should get posix attributes w/out delegate user access
* Always use the Object Id for mapping Group to GID
* Update enhancement-request.md for SPI donations
* Update bug_report.md with SPI donation
* deps(rust): bump the all-cargo-updates group with 4 updates
* Update build requires in README.md
* Enforce strict order for the systemd units
* Update FUNDING.yml with SPI Paypal donation button
* Don't break from tasks loop when policies fail
* Enroll in Intune as soon as it is enabled
* Implement `decoupled hello` behavior
* Cache encrypted PRT to disk for offline login SSO
* Update to latest hsm-crypto
* Enable tpm functionality
* Allow altering the password and PIN prompt messages
* Ensure Hello PIN lockout happens when online
* Cache the build target output to improve build times
* Easier build selection w/ Makefile
* Revert mistaken removal from Makefile
* Make the user wait longer with each incorrect PIN
* Make the bad PIN count configurable
* Improve aad-tool manpage
* aad-tool fails if the user has FIDO2 enabled
* Offline auth permits authentication with invalid Hello PIN
* PIN complexity to match Windows
* Update to latest SSSD idmap code
* Add aad-tool options for setting posix attrs
* Add scopes and redirect uris aad-tool application create
* Add aad-tool commands for managaging extension attrs
* deps(rust): bump the all-cargo-updates group with 4 updates
* cargo clippy
* cargo fmt
* Utilize the sidtoname call for object id mapping
* Add commands for listing/creating App registrations
* Potential fix for code scanning alert no. 2: Workflow does not contain permissions
* Potential fix for code scanning alert no. 4: Workflow does not contain permissions
* Potential fix for code scanning alert: Workflow does not contain permissions
* Never write the app_id to the server config
* Disable passwordless Fido by default
* Stop using deprecated `users` crate
* When group membership lookup fails, use cached groups
* deps(rust): bump the all-cargo-updates group across 1 directory with 11 updates
* deps(rust): bump the all-cargo-updates group with 4 updates
* aad-tool command for enumerating users and groups
* Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security Bypass
* Add the configure-pam option to aad-tool man page
* Add static idmap cache for on-prem to cloud migration
* Update bug_report.md with request for himmelblau.conf
* deps(rust): bump the all-cargo-updates group with 2 updates
* Update crates in a group
* Update crate bumps
* Utilize new Intune compliance enforcement via libhimmelblau
* Correct the README regarding Intune policy compliance
* Disable Chromium policy
* Re-enable Intune policy and add scripts and compliance policies
* himmelblau.conf alias `domain` as `domains`
* Support Fido auth in pam passwd
* Add TAP support to himmelblaud and pam passwd
* Mixed case names should properly identify Hello Key
* Update linux-entra-sso to latest version
* Fix group lookup for Entra Id group name
* Fix mixed case name lookup from PRT cache
* Crate updates
* Fix tasks daemon debug output
* Remove write locks where unecessary
* Fix deadlock in nss
* systemd notify fixes
* Console
* Address Feedback
* Order services before gdb/nss-user-target
* deps(rust): bump rpassword from 7.3.1 to 7.4.0
* deps(rust): bump tokio from 1.44.2 to 1.45.0
* deps(rust): bump sha2 from 0.10.8 to 0.10.9
* deps(rust): bump systemd-journal-logger from 2.2.0 to 2.2.2
* deps(rust): bump clap from 4.5.31 to 4.5.38
* Update notify-debouncer-full
* Update opentelemetry
* Update dependencies
* deps(rust): bump time from 0.3.39 to 0.3.41
* Replace source filter that blacklists files with filter that whitelists files.
* Mark himmelblau.conf as config in rpm
* Update README.md
* Ensure only the base URL is printed to log
* If unix_user_get fails, wait, and try again
* Supplying a PRT cookie to SSO doesn't require network
* Don't send a password prompt if the network is down
* Auth via MFA if Hello PIN fails 3 times
* Improve Hello PIN failed auth error
* Fix rocky9 build
* deps(rust): bump anyhow from 1.0.96 to 1.0.98
* deps(rust): bump libc from 0.2.170 to 0.2.172
* deps(rust): bump cc from 1.2.16 to 1.2.19
* Update README.md
* deps(rust): bump tokio from 1.43.0 to 1.44.2
* deps(rust): bump openssl from 0.10.71 to 0.10.72 in the cargo group
* deps(rust): bump reqwest from 0.12.12 to 0.12.15
* Update libhimmelblau in Cargo.lock
* Fix nss and offline checks for domain aliases
* Report error when MS Authenticator denies authorization
* Bail out of invalid offline auth
* Handle AADSTS errors from BeginAuth response
* Never dump failed reqwests to the log
* Update sccache-action version to use new cache service
* Permit daemon to start when network is down
* Add an nss cache for when daemon is down
* Additional pam info cues
* Proceed with Hello auth even with net down
* Indicate to the user what the password and PIN are
* Ensure pam messages are seen
* Display the minimum PIN length during Hello setup
* PAM should loop, not die on error
* Ensure prompt msg remains for confirmation
* Update bug_report.md
* Ignore demands for setting up MS Authenticator
* Login fails if Entra is configured to recommend MS authenticator
* Add pam configure command to aad-tool
* Update README.md with pam passwd instructions
* aad-tool authtest needs to map names
* Update demo video in README.md
* Sign RPM packages
* Ensure the pam module is installed correctly for SLE
* Improve pam error handling and messaging
* Only push cachix builds for stable releases
* Terminate linux-entra-sso when browser terminates
* On deb, push pam config after install
* Increase priority of deb PAM passwd for Himmelblau
* Improve offline state handling
* Specify request for Entra Id password in PAM
* QR Greeter also supports gnome-shell 47
* Fix profile photo loading
* Clarify pam_allow_groups in himmelblau.conf man page
* Don't hide debug for pam_allow_groups miss
* Handle failures in passwordless auth
* build all root packages
* split config options that can be defined per-domain from those which are global only
* configure cachix signing and upload in ci
* deps(rust): bump serde_json from 1.0.138 to 1.0.140
* deps(rust): bump serde from 1.0.218 to 1.0.219
* deps(rust): bump time from 0.3.37 to 0.3.39
* deps(rust): bump bytes from 1.10.0 to 1.10.1
* deps(rust): bump pkg-config from 0.3.31 to 0.3.32
* Entra Id is case insensitive, cache lookup must match
* deps(rust): bump ring from 0.17.9 to 0.17.13 in the cargo group
* Support CompanionAppsNotification mfa method
* QR code for gnome-shell greeter
* Allow tasks to start if AccountsService dir missing
* Remove invalid python dependency from sso package
* Fixes https://github.com/himmelblau-idm/himmelblau/issues/397
* Clear server config when clearing cache
* Update version in the Cargo.lock
* deps(rust): bump async-trait from 0.1.86 to 0.1.87
* deps(rust): bump chrono from 0.4.39 to 0.4.40
* Fix himmelblau.conf man page cn_name_mapping entry
* deps(rust): bump pem from 3.0.4 to 3.0.5
* deps(rust): bump serde from 1.0.217 to 1.0.218
* Version 1.0.0
* deps(rust): bump cc from 1.2.15 to 1.2.16
* Update workflow versions
* Mon Jul 28 2025 david.mulder@suse.com
- Update to version 0.9.21+git.0.6963ee0:
* Fix authentication when passkeys are enabled
* Version 0.9.20
* Fix Intermittent auth issue AADSTSError 16000
* Version 0.9.19
* Disable cookies
* Version 0.9.18
* Cache the build target output to improve build times
* Easier build selection w/ Makefile
* Never write the app_id to the server config
* Thu Jun 26 2025 david.mulder@suse.com
- Update to version 0.9.17+git.0.4a97692:
* Version 0.9.17
* Offline auth permits authentication with invalid Hello PIN; (CVE-2025-53013).
* Cargo fmt
* Don't neglect to sign the rpm packages
* Tue Jun 17 2025 david.mulder@suse.com
- Update to version 0.9.16+git.0.aac2205:
* Disable passwordless Fido by default
* Stop using deprecated `users` crate
* Version 0.9.16
* When group membership lookup fails, use cached groups
* Just report whether some passwordless type is available
* Version 0.9.15
* Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security Bypass
* Version 0.9.14
* Support Fido auth in pam passwd
* Add TAP support to himmelblaud and pam passwd
* Mixed case names should properly identify Hello Key
* Remove write locks where unecessary
* Fix group lookup for Entra Id group name
* Version 0.9.13
* Fix mixed case name lookup from PRT cache
* Tue May 20 2025 david.mulder@suse.com
- Update to version 0.9.12+git.0.99b5ca6:
* Version 0.9.12
* Fix deadlock in nss
* systemd notify fixes
* Tue Apr 29 2025 david.mulder@suse.com
- Update to version 0.9.11+git.0.04ef9c8:
* Ensure only the base URL is printed to log
* Version 0.9.11
* Supplying a PRT cookie to SSO doesn't require network
* Improve Hello PIN failed auth error
* Fix rocky9 build
* Fix nss and offline checks for domain aliases
* Report error when MS Authenticator denies authorization
* Bail out of invalid offline auth
* Handle AADSTS errors from BeginAuth response
* Never dump failed reqwests to the log
* Update sccache-action version to use new cache service
* Permit daemon to start when network is down
* Version 0.9.10
* Add an nss cache for when daemon is down
* Additional pam info cues
* Proceed with Hello auth even with net down
* Indicate to the user what the password and PIN are
* Specify request for Entra Id password in PAM
* Ensure pam messages are seen
* Display the minimum PIN length during Hello setup
* PAM should loop, not die on error
* Ensure prompt msg remains for confirmation
* Tue Apr 15 2025 david.mulder@suse.com
- Update to version 0.9.9+git.0.5425b98:
* Version 0.9.9
* Ignore demands for setting up MS Authenticator
* Thu Mar 20 2025 david.mulder@suse.com
- Update to version 0.9.8+git.0.3f20b1b:
* configure cachix signing and upload in ci
* Version 0.9.8
* Improve pam error handling and messaging
* Version 0.9.7
* Terminate linux-entra-sso when browser terminates
* On deb, push pam config after install
* Increase priority of deb PAM passwd for Himmelblau
* Improve offline state handling
* QR Greeter also supports gnome-shell 47
* Version 0.9.6
* Fix profile photo loading
* Clarify pam_allow_groups in himmelblau.conf man page
* Don't hide debug for pam_allow_groups miss
* Version 0.9.5
* Handle failures in passwordless auth
* Tue Mar 11 2025 david.mulder@suse.com
- Update to version 0.9.4+git.0.9909238:
* Version 0.9.4
* bump ring from 0.17.9 to 0.17.13
* Entra Id is case insensitive, cache lookup must match
* Support CompanionAppsNotification mfa method
* Version 0.9.2
* QR code for gnome-shell greeter
* Allow tasks to start if AccountsService dir missing
* Remove invalid python dependency from sso package
* Version 0.9.1
* himmelblaud-tasks stops due to missing dir
* Clear server config when clearing cache
* Fix himmelblau.conf man page cn_name_mapping entry
* Update workflow versions
* Document the requirements for app_id
* Properly handle aad error from auth code req
* Provide a group gid fallback for rfc2307 id map
* Remove option defs from the default debian himmelblau.conf
* Ensure tasks daemon creates files w/ correct gid
* Isolate the name mapping so it only happens if enabled
* Default to request group info via Edge browser
* Avoid modifying the cache entries
* Utilize systemd notify to avoid tasks started fail
* Ubuntu PAM module configuration to change PIN
* Resolve migration error `real_gidnumber` missing
* deps(rust): bump libc from 0.2.169 to 0.2.170
* deps(rust): bump clap_complete from 4.5.45 to 4.5.46
* Fix some clippy warnings
* Cause tasks daemon to honor configured debug
* Fetch user profile photo via tasks daemon
* deps(rust): bump clap from 4.5.30 to 4.5.31
* deps(rust): bump anyhow from 1.0.95 to 1.0.96
* deps(rust): bump cc from 1.2.14 to 1.2.15
* Add apparmor whitelisting for nss mapping cache
* Dramatically improve debug logging
* Move the NixOS CI to a different workflow (w/out main)
* Add a sample himmelblau.conf in docs
* Resolve missed auth code redirect
* Implement mapped name caching in NSS
* Add script on-behalf-of flow for logon scripts
* Update Cargo.lock deps
* Update installation instructions in the README
* Donation requests in the issue templates
* Update README.md with contribute badge
* Update README.md with contributions statement
* Create FUNDING.yml
* Update README.md
* fix failing test expecting /bin/echo to be available
* add nixos ci tests
* Use sd_notify to signal service readiness, prevent startup failures
* Add build command to Makefile
* Update documentation
* Add NixOS Module
* enable build with nix
* Implement logon name script mapping
* deps(rust): update libnss requirement from 0.8.0 to 0.9.0
* Only the himmelblau-sso package should conflict with intune-portal
* deps(rust): update gethostname requirement from 0.5.0 to 1.0.0
* deps(rust): update lru requirement from ^0.12.3 to ^0.13.0
* deps(rust): update rand requirement from ^0.8.5 to ^0.9.0
* Fetch the group extension attrs with the group object
* Ensure access token has the GroupMember.Read.All scope
* Replace the unix attribute option with a rfc2307 idmap
* Map the extended attr gidNumber to primary group
* Permit configuration of an Application for group fetching
* Use posix attributes synchronized from on-prem AD
* Fix debug option in himmelblau.conf
* Add a span around server initialisation for correct log coalescing
* Fix GOA crash when krb5.conf doesn't include /etc/krb5.conf.d
* Fix libutf8proc dependency issue on Ubuntu 22.04
* Fix Credentials leaking in the debug log
* deps(rust): update rusqlite requirement from ^0.32.0 to ^0.33.0 (#345)
* Decrease CI build time
* Fix CI failure caused by package revision
* Support password changes when demanded
* Update README.md
* Entra Id no longer permits SFA enrollment
* Rewrite the sso code in Rust
* Add profile photo fetching
* Version 0.9.0
* Mon Jan 27 2025 david.mulder@suse.com
- Update to version 0.8.3+git.5.1510f5a:
* Decrease CI build time
* Fix CI failure caused by package revision
* Version 0.8.4
* Fix libutf8proc dependency issue on Ubuntu 22.04
* Version 0.8.3
* Fix Credentials leaking in the debug log
* Fri Jan 17 2025 david.mulder@suse.com
- Update to version 0.8.2+git.0.553c632:
* Version 0.8.2
* Entra Id no longer permits SFA enrollment
* Remove SSO python dependencies
* Version 0.8.1
* Rewrite the sso code in Rust
* Thu Dec 19 2024 david.mulder@suse.com
- Update to version 0.8.0+git.0.249ba5f:
* Branch version stable-0.8.x
* Passwordless auth doesn't provide polling numbers
* Resolve deadlock introduced by Fido auth
* Implement NGC Passwordless authentication
* Remove unused commit checklist
* deps(rust): update bindgen requirement from 0.70.1 to 0.71.1
* Update libhimmelblau version
* Custom domains matching
* Fix IdmapError to indicate the failure
* Fix Fedora build dependencies
* Add Fido MFA
* Add Debian 12 packaging
* Disable SELinux labeling on build container volume mounts
* Update github CI dependencies
* Implement Hello Pin changes via PAM
* Formatting fix
* Utilize HimmelblauConfig directly in pam and nss
* Add config parsing unit tests
* Fix incorrect default domain
* Fix config hsm type Tpm error
* Include multi-domain important info in himmelblau.conf man
* Update to the latest libhimmelblau
* Add DAG flow as a fallback for MFA
* Fix CVE-2024-11738: rustls network-reachable panic in `Acceptor::accept`
* Update README.md with build requires
* Enable module for utf8proc-devel in Rocky8
* Remove the org.samba.himmelblau dbus service
* Fix missing dependency utf8proc_NFKC_Casefold
* The tasks daemon needs /etc/groups write access
* Revert "Fix Ubuntu PAM fallback to password prompt"
* Fix Ubuntu PAM fallback to password prompt
* Increase the cache timeout to 5 minutes
* Always fetch and cache the graph url
* Package Siemens Linux Entra SSO for Himmelblau
* Add Kerberos CCache support
* Update the tasks daemon man page
* Add a himmelblau.conf man page, and package the man pages
* Add SLE15SP6 packaging
* Add Fedora 41 packaging
* Add Fedora Rawhide packaging
* Provide enhancement request template
* Create an issue template
* Hello support depends on openssl3
* Fix sshd rpm depends
* Resolve RPM dependencies automatically
* Revert "deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4"
* Add openSUSE Tumbleweed packaging
* Fix RPM packaging placement of systemd files
* Remove the failed attempt at debian packaging
* Add stable-0.7.x to CI workflows
* Version 0.8.0
* Thu Dec 12 2024 david.mulder@suse.com
- Update to version 0.7.13+git.0.d790d31:
* Version 0.7.13
* Fix Fedora build dependencies
* Version 0.7.12
* Add Debian 12 packaging
* Update github CI dependencies
* Version 0.7.11
* Implement Hello Pin changes via PAM
* Utilize HimmelblauConfig directly in pam and nss
* Version 0.7.10
* Add config parsing unit tests
* Fix incorrect default domain
* Fix config hsm type Tpm error
* Include multi-domain important info in himmelblau.conf man
* Thu Dec 05 2024 david.mulder@suse.com
- Update to version 0.7.9+git.0.93655d2:
* Version 0.7.9
* Update to the latest libhimmelblau
* Version 0.7.8
* Add a himmelblau.conf man page, and package the man pages
* Add DAG flow as a fallback for MFA
* Mon Dec 02 2024 david.mulder@suse.com
- Update to version 0.7.7+git.0.b48d0bb:
* Version 0.7.7
* Fix CVE-2024-11738: rustls network-reachable panic in `Acceptor::accept`
(bsc#1233949).
* Version 0.7.6
* Enable module for utf8proc-devel in Rocky8
* Mon Nov 25 2024 david.mulder@suse.com
- Update to version 0.7.5+git.0.8f421b0:
* Version 0.7.5
* Remove the org.samba.himmelblau dbus service
* Mon Nov 25 2024 david.mulder@suse.com
- Update to version 0.7.4+git.0.d1291c6:
* Version 0.7.4
* Fix missing dependency utf8proc_NFKC_Casefold
* Package Siemens Linux Entra SSO for Himmelblau
* Add SLE15SP6 packaging
* Add Fedora 41 packaging
* Add Fedora Rawhide packaging
* The tasks daemon needs /etc/groups write access
* Version 0.7.3
* Increase the cache timeout to 5 minutes
* Always fetch and cache the graph url
* Mon Nov 25 2024 david.mulder@suse.com
- Update to version 0.7.2+git.0.c76ac0e:
* Version 0.7.2
* Hello support depends on openssl3
* Version 0.7.1
* Fix sshd rpm depends
* Resolve RPM dependencies automatically
* Revert "deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4"
* Add openSUSE Tumbleweed packaging
* Fix RPM packaging placement of systemd files
* Remove the failed attempt at debian packaging
* Add stable-0.7.x to CI workflows
* deps(rust): update utoipa requirement from 4.0.0 to 4.2.0
* deps(rust): update hashbrown requirement from 0.14.0 to 0.15.1
* Remove missing feature causing warnings
* deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4
* Specify scopes when making an SSO request
* Implement logon script for ensuring compliance
* Option for adding Entra Id users to local groups
* Configure EL sshd with ChallengeResponseAuthentication yes
* Add rocky 8 packaging
* Add RPM packaging for EL9
* Modify Ubuntu defaults to fix snaps
* Resolve Libreoffice fails to start on Ubuntu
* Minor formatting fix
* Revert RwLock -> Arc<Mutex> change in idmap
* Ignore broker scopes requests for now
* Ensure every file specifies the proper license
* postinst should not fail on patch or apparmor update
* Install pam module to additional location via make
* Add sshd config to the Makefile
* Don't use sudo in postinst/postrm scripts for deb
* PAM should be placed first in the stack
* Add the libutf8proc-dev dep for deb
* Match the object ID of the fake user and group
* Make it possible to stop the broker service
* Move sshd config into it's own debian package
* Allow the graph to start w/out network
* Add hello_pin_min_length conf option
* Don't attempt SFA fallback if AADSTSError
* Have libhimmelblau handle the DAG fallback
* Add a warning to user that SSH needs restarted
* Ensure local users are ignored when CN mapping
* Ensure DAG is rejected if lifetime expires
* Rework the poll logic to resolve timeout issues
* Add a sshd soft depends for the deb package
* CN name mapping in PAM and NSS
* Make CN an optional home directory attribute
* Remove the sssd build dependencies
* Configuration patches for himmelblau on Debian
* Simplify PAM get_item_string calls
* Bug in pam which needs defended against
* Fix deb build by adding Broker service file
* Install Ubuntu unix-chkpwd apparmor deps
* Ensure make install places pam_himmelblau correctly
* Add Ubuntu pam-config for pam_himmelblau
* Never return Err(PAM_SUCCESS) from get_user
* Never return the Pam result from get_user()
* Revert "Speed up nss requests w/out auth attempt"
* Speed up nss requests w/out auth attempt
* Fix some broker responses
* Fixes for the dbus broker
* Attempt to fix the cargo version in launchpad build
* Makefile typo fixes
* Version 0.7.0
* Add libdbus-1-dev dep
* Improve the README installation instructions
* Add `make install` command
* Improve Debian/Ubuntu install instructions
* Fix tag push permissions for tag-version workflow
* Add a version check script
* Remove the rustc dependency, breaking rustup
* Add a debug option to the config
* DBus requires that the service file match the name
* Add a pam option for the OpenSSH 2876 workaround
* Update to the latest libhimmelblau
* Tue Oct 22 2024 david.mulder@suse.com
- Update to version 0.6.14+git.0.bbda0b6:
* Version 0.6.14
* postinst should not fail on patch or apparmor update
* Version 0.6.13
* Don't use sudo in postinst/postrm scripts for deb
* Version 0.6.12
* PAM should be placed first in the stack
* Match the object ID of the fake user and group
* Version 0.6.11
* Move sshd config into it's own debian package
* Version 0.6.10
* Allow the graph to start w/out network
* Add hello_pin_min_length conf option
* Version 0.6.9
* Don't attempt SFA fallback if AADSTSError
* Have libhimmelblau handle the DAG fallback
* Add a warning to user that SSH needs restarted
* Version 0.6.8
* Ensure local users are ignored when CN mapping
* Ensure DAG is rejected if lifetime expires
* Version 0.6.7
* Rework the poll logic to resolve timeout issues
* Version 0.6.6
* Add a sshd soft depends for the deb package
* CN name mapping in PAM and NSS
* Version 0.6.5
* Make CN an optional home directory attribute
* Version 0.6.4
* Add Ubuntu pam-config for pam_himmelblau
* Configuration patches for himmelblau on Debian
* Version 0.6.3
* Bug in pam which needs defended against
* Version 0.6.2
* Never return the Pam result from get_user()
* Correct installation directory of the deb pam module
* Makefile typo fixes
* Add libdbus-1-dev dep
* Version 0.6.1
* Debian build requires libdbus-1-dev
* Wed Oct 02 2024 david.mulder@suse.com
- Update to version 0.6.0+git.0.b8dae18:
* Attempt to fix the cargo version in launchpad build
* Add branch stable-0.6.x to the workflows
* Install the pam module to the proper location
* Update README.md
* Add a debug option to the config
* Add a pam option for the OpenSSH 2876 workaround
* Update to the latest libhimmelblau
* Authorize all users when pam_allow_groups is empty
* Fix clippy warnings
* Fix pam echo not displayed via ssh
* Fix pam failure to register Pin following mfa poll
* Fork from kanidm
* Version 0.6.0
* Add cargo deb build
* Version 0.5.3
* Improve the README installation instructions
* Add `make install` command
* Improve Debian/Ubuntu install instructions
* Fix tag push permissions for tag-version workflow
* Version 0.5.2
* Add a version check script
* Version 0.5.1
* Remove the rustc dependency, breaking rustup
* Added Debian packaging workflow and files
* Thu Sep 12 2024 William Brown <william.brown@suse.com>
- explicitly depend on cargo to pull in latest compiler revision
* Wed Sep 04 2024 david.mulder@suse.com
- Update to version 0.5.0+git.0.22f84f0:
* Update workflows for 0.5.x
* Update Debian dependencies in README.md
* Compilation fails on Ubuntu, missing ldb header
* Fix base32 with kandim updates
* deps(rust): update base32 requirement from ^0.4.0 to ^0.5.0
* deps(rust): update scim_proto requirement from ^0.2.1 to ^1.3.2
* deps(rust): update bindgen requirement from 0.69.4 to 0.70.1
* Fix CI failures caused by cargo 1.80.1
* Update to libhimmelblau version 0.2.9
* deps(rust): update rusqlite requirement from ^0.31.0 to ^0.32.0
* deps(rust): update tonic requirement from 0.11.0 to 0.12.0
* update libnss requirement from 0.7.0 to 0.8.0
* Switch to using libhimmelblau
* himmelblaud stops working after suspend
* Update required packages for tumbleweed
* Disable the SFA fallback by default
* Fix ConsolidatedTelephony MFA method
* Use the group ID for the name if no display name
* Use latest msal with MFA fixes
* PhoneAppNotification is not a cred request algorithm
* The polling_interval is in milliseconds, not seconds
* OneWaySMS is additionally a valid OTP
* Relicensing as GPL3, as SSSD source inclusion requires
* Utilize the graph code in msal
* config: Remove comments about experimental policy enforement
* Remove the experimental policy code from the id provider
* Fix a refresh token leak in debug from msal
* Correct README details
* Always normalize idmap upn inputs
* Add video links to the README
* Minor updates to the Contributing section
* Add a Installation section to the README
* Add the new SSSD idmap build deps to the README
* Add a section about donations
* Include the Samba Technical matrix channel
* Add github workflows for the 0.4.x branch
* Version 0.5.0 bump for main
* Mon Jul 15 2024 david.mulder@suse.com
- Update to version 0.4.3+git.2.6379abc:
* Specifically use msal 0.2.6
* Version 0.4.3
* update libnss requirement from 0.7.0 to 0.8.0
* himmelblaud stops working after suspend
* Version 0.4.2
* Fix ConsolidatedTelephony MFA method
* Wed May 29 2024 david.mulder@suse.com
- Update to version 0.4.1+git.0.41dd0dc:
* Version 0.4.1
* Use latest msal with MFA fixes
* PhoneAppNotification is not a cred request algorithm
* The polling_interval is in milliseconds, not seconds
* OneWaySMS is additionally a valid OTP
* Relicensing as GPL3, as SSSD source inclusion requires
* Wed May 22 2024 david.mulder@suse.com
- Update to version 0.4.0+git.4.63e3704:
* Fix a refresh token leak in debug from msal
* Wed May 22 2024 david.mulder@suse.com
- Update to version 0.4.0+git.2.7b57f5e:
* Always normalize idmap upn inputs
* Mon May 20 2024 david.mulder@suse.com
- Update to version 0.4.0+git.0.69b64fe:
* Add github workflows for the 0.4.x branch
* Do not append to pam_allow_groups automatically
* Pam Allow Groups must be specified by Object ID
* Request the correct resource and permissions
* Improve error output on group lookup failure
* When faking a uuid for NSS, use a random uuid
* Fix clippy warning about inefficient use of clone()
* Remove the initial uid hack, use name mapping
* Don't stop an MR based on a clippy warning
* Update Kanidm tracking
* Modify CI workflows to handle idmap build
* Add CI job for cargo test
* Test the new and legacy idmapping
* Ensure duplicate providers are not started
* Use the SSSD Idmap code in Himmelblau
* Specify in conf that pam_allow_groups is required
* Remove code duplication in Hello PIN auth
* Fix Device authentication failed after enrollment
* Update the base64urlsafedata version
* Update README.md with Matrix contact info
* Version 0.4.0
* Wed May 15 2024 david.mulder@suse.com
- Update to version 0.3.4+git.0.01d099f:
* Version 0.3.4
* Only remove cached user if it doesn't exist
* Use existing user token at refresh
* Always use the spn of the user for nss requests
* Generate a fake user token to please SSH
* Fix aad-tool to handle MFA
* Fix lib_crypto version
* Fix user dropping from NSS
* Fri May 10 2024 david.mulder@suse.com
- Himmelblau requires libopenssl-3 for PRT messages.
* Thu May 09 2024 david.mulder@suse.com
- Update to version 0.3.3+git.0.c2197d7:
* Correct the debug messages for Hello skip
* Version 0.3.3
* Allow disabling Hello PIN auth for enrolled users
* Add an option for disabling Windows Hello
* Remove the TODO doc from stable branch
* config: Remove comments about experimental policy enforement
* Tue May 07 2024 david.mulder@suse.com
- Update to version 0.3.2+git.0.de9f5b5:
* Version 0.3.2
* Fix Hello PIN Authentication error, no nonce
* Mon Apr 29 2024 david.mulder@suse.com
- Update to version 0.3.1+git.0.359a8d0:
* Add github workflows for the 0.3.x branch
* Fallback to SFA first if MFA fails Browse files
* deps(rust): update libnss requirement from 0.6.0 to 0.7.0
* deps(rust): update webauthn-rs-proto requirement from 0.4.8 to 0.5.0
* Fix deadlock caused by client write lock
* Add rid idmapping (replacing existing idmap)
* Additional debug for Hello auth
* Make proto Cargo.toml a physical file
* Push the clippy arg count limit a little higher
* Version 0.3.0
* Windows Hello PIN implementation
* deps(rust): update hostname requirement from ^0.3.1 to ^0.4.0
* Enable actions on stable branches
* Prevent dependabot from updating opentelemetry
* Revert "deps(rust): update opentelemetry requirement from 0.20.0 to 0.22.0 (#93)"
* deps(rust): update reqwest requirement from ^0.11.18 to ^0.12.2 (#95)
* deps(rust): update lru requirement from ^0.8.0 to ^0.12.3 (#94)
* deps(rust): update opentelemetry requirement from 0.20.0 to 0.22.0 (#93)
* deps(rust): update num_enum requirement from ^0.5.11 to ^0.7.2 (#92)
* deps(rust): update tonic requirement from 0.10.2 to 0.11.0 (#91)
* Use the Kanidm MFA patches
* deps(rust): update libnss requirement from 0.5.0 to 0.6.0 (#90)
* deps(rust): update tracing-opentelemetry requirement (#89)
* deps(rust): update rusqlite requirement from ^0.28.0 to ^0.31.0 (#88)
* deps(rust): update clap requirement from ^3.2 to ^4.5 (#87)
* deps(rust): update kanidm-hsm-crypto requirement from ^0.1.6 to ^0.2.0 (#86)
* Update dependabot.yml
* Add missing db dependency on sketching
* Set the workspace resolver version to 2
* Init the kanidm submodule during workflows
* Ignore clippy blocks_in_conditions warning in daemon
* Add build/clippy/dependabot_automerge workflows
* deps(rust): update opentelemetry-otlp requirement from 0.13.0 to 0.15.0
* deps(rust): update opentelemetry_sdk requirement from 0.20.0 to 0.22.1
* deps(rust): update base64 requirement from ^0.21.5 to ^0.22.0
* deps(rust): update notify-debouncer-full requirement from 0.1 to 0.3
* deps(rust): update systemd-journal-logger requirement
* Create dependabot.yml
* Add MFA capabilities
* Update to the latest Kanidm reqs
* Always force MFA when enrolling the device
* Update to latest msal
* Thu Feb 29 2024 dmulder@suse.com
- Himmelblau provides the features found in aad-auth packages from
other distros.
* Tue Feb 20 2024 dmulder@suse.com
- Update to version 0.2.0+git.4.904b915:
* Update to latest msal
* Version 0.2.0
* Himmelblau now authenticates only to configured domains
* Remove reference to python-msal dep in README
* Use the external MSAL crate for auth
* Rename msal in prep for external msal crate
* msal: Remove python msal bindings
* msal: Rust msal
* Point Cargo.toml to new project home
* config: Write domain join to server specific config
* idprovider: Invalidate cached user if PRT req fails
* idprovider: Pass the keystore to the auth function
* Update daemon from kanidm
* test: Add a pause to ensure tasks daemon sees himmelblau
* Update kanidm submodule
* config: Include domain sections in configured domains
* msal: Add acquire_token_by_refresh_token
* enrollment: Authentication fixes
* tests: Create the hsm-pin directory
* idprovider: Add domain join debug
* cargo: Use relative paths and remove most symlinks
* idprovider: Allow group search when device is authenticated
* msal: Move the application reqs from misc to msal::application
* msal: Move user reqs from misc to msal::user
* Remove duplicates from allow_groups during enrollment
* Remove device enrollment from TODO
* Implement Device enrollment
* enrollment: Add the nonce service request
* enrollment: Add enrollment service discovery
* Implement ConfidentialClientApplication for enrollment
* daemon: Fix inverted logic on cache dir check
* nss: Use upstream nss package
* idprovider: Provider auth needs to point to just the host
* config: Consistently use the config file provided to the daemon
* cargo: Use relative paths and remove most symlinks
* clippy: Add kanidm's clippy config
* config: Only check for tenant_id, authority, graph if necessary
* Update README.md
* Update version to 0.1.2
* config: Fix typos in the config file
* Make most params to acquire_token_interactive optional
* Config can take defaults
* cli: Add missing cli opt file
* cli: Improve aad-tool options and interface
* Update README.md
* tests: Fix tasks daemon name typo
* Remove MFA from TODO
* Fri Dec 22 2023 dmulder@suse.com
- Update to version 0.1.1+git.10.4aa76b7:
* daemon: Fix inverted logic on cache dir check
* nss: Use upstream nss package
* idprovider: Provider auth needs to point to just the host
* config: Consistently use the config file provided to the daemon
* cargo: Use relative paths and remove most symlinks
* clippy: Add kanidm's clippy config
* config: Only check for tenant_id, authority, graph if necessary
* Correct the cargo version
* Mon Nov 13 2023 dmulder@suse.com
- Update to version 0.1.1+git.0.6d2f645:
* config: Remove comments about experimental policy enforement
* config: Fix typos in the config file
* Tue Sep 26 2023 Jan Engelhardt <jengelh@inai.de>
- Reduce size of expanded scriptlets by reducing %service_* calls
- Wrap descriptions
* Thu Sep 14 2023 david.mulder@suse.com
- Update to version 0.1.0+git.2.2391ac0:
* Update version to 0.1.0
* Update the README
* idprovider: Fix mixed case auth failure
* daemon: Port daemon changes from kanidm
* provider: Skip provider init on silent auth and offline
* daemon: Run himmelblaud as non-root dynamic user
* Tue Sep 12 2023 david.mulder@suse.com
- Update to version 0.0.4+git.50.112df77:
* Always match DAG where present
* Prohibit authentication with changing IDs
* Fri Sep 08 2023 david.mulder@suse.com
- Update to version 0.0.4+git.42.d641c8b:
* Run cargo fmt and cargo clippy
* Implement DeviceAuthorizationGrant for MFA
* test: Initialize the pam_allow_groups with users
* Use new pam state machine in himmelblau
* Remove the non-functional device enrollment
* TODO: New details regarding MS auth cache
* daemon: Implement pam allow groups
* Code rearrangement
* Thu Aug 10 2023 dmulder@suse.com
- Update to version 0.0.4+git.30.26c26e7:
* aad-tool: Disable enrollment by default
* provider: Fetch GECOS from old token on silent acquire
* msal: Add bindings for device auth flow
* Add debug for local user ignore
* provider: Only retry auth if we're sure group read was requested
* provider: Provide user token refresh
* provider: Cause unix_group_get to respond with BadRequest
* provider: Implement provider_authenticate
* Tue Aug 08 2023 dmulder@suse.com
- Update to version 0.0.4+git.9.a7c5ac2:
* osc breaks with workspace errors using symlinks
* gp: Disable MDM policies by default
* Mon Aug 07 2023 dmulder@suse.com
- Update to version 0.0.4+git.3.b500f1f:
* Update serde version
* Update version to 0.0.4
* Only build necessary bits of kanidm proto
* Add cache operations to daemon and aad-tool
* tests: Include local cache of rust deps
* cache: Use the kanidm cache backend
* Mon Jul 31 2023 dmulder@suse.com
- Update to version 0.0.3+git.10.761b4d2:
* gp: Apply chromium policies
* gp: Implement Group Policy object listing
* test: Fix build test failure
* tests: Return the correct error code from tests
* test: Separate project build from docker build
* tests: Deploy config when testing
* Tue Jul 18 2023 dmulder@suse.com
- Update to version 0.0.3+git.3.f0883b1:
* nss: Fix misaligned pointer dereference errors
* Fix code links
* Mon Jul 17 2023 dmulder@suse.com
- Update to version 0.0.3+git.1.e6847eb:
* Revert "nss: Use kanidm nss code"
* Update lib versions to match package version
* Shallow clone kanidm for pam/nss
* tests: Fix tar recursion
* Fri Jul 14 2023 dmulder@suse.com
- Update to version 0.0.2+git.22.1c3ce4b:
* Remove symlinks and just point to kanidm sources
* nss: Use kanidm nss code
* Add submodule commands to main Makefile
* pam: Use kanidm pam code, glue into himmelblau
* TODO: Only auth to configured domains
* Mon Jul 10 2023 dmulder@suse.com
- Update to version 0.0.2+git.15.d42b114:
* aad-tool: Enroll via the daemon
* config: Add func for requesting configured socket path
* aad-tool: Improve enroll options
* Mon Jul 10 2023 dmulder@suse.com
- Update to version 0.0.2+git.11.91df240:
* daemon: Add a systemd service
* daemon: Don't request group read scope if using Intune
* TODO: Mention the work needed for the cache
* README: Include homedir creation instructions
* daemon: If auth fails, indicate the user
* Fri Jul 07 2023 dmulder@suse.com
- Update to version 0.0.2+git.6.de1afd6:
* test: Ensure invalid users aren't cached
* test: Skip getent group tests failing due to nss issue
* tests: Add nss tests
* tests: Test pam auth
* msal: Allow fetching auth url
* Wed Jun 28 2023 dmulder@suse.com
- Update to version 0.0.2+git.0.5bfbedd:
* cache: Make the cache persistent
* TODO: Cannot fudge an initial nss request
* Use tracing for debug instead of log
* aad-tool: Fix some build warnings
* aad-tool: Add TODO comments regarding enrollment issues
* aad-tool: Always use interactive enrollment
* fix readme
* aad-tool: Save the device_id after enrollment
* aad-tool: Cannot enroll in Intune Portal directly
* aad-tool: Parse the enrollment response
* aad-tool: Add a enroll command for Azure AD device
* memcache: Only append existing group member if missing
* himmelblaud: Fix login when Intune errors on group read
* memcache: Create a memcache for user and group caching
* TODO: Group memberships
* TODO: NSS requests via GET reqs
* config: Include default for authority_host
* config: Specify constants for defaults
* Cleanup the build depencencies
* TODO: Fix the headings
* TODO: Add major reqs section
* Cause the odc provider to supply the authority_host
* TODO: Use tracing module
* Include offline logon in todo list
* Add a TODO list
* Discover the tenant_id in the same manner as Intune
* himmelblaud: Debug for unknown user/group
* himmelblaud: Fix failure to cache user
* himmelblaud: Pam Allowed and Sessions stubs
* himmelblaud: Implement NssGroupByGid and NssAccountByUid
* himmelblaud: Implement group lookups
* Include the gecos in the mem cache
* Use config for shell, homedir, uid range, tenant
* Improve Developer Readme
* config: Config should not default app_id
* Remove invalid comment
* himmelblaud: Return with failure without tenant_id
* config: Move the config to unix_common module
* himmelblaud: Make the socket path configurable
* himmelblaud: Use Intune portal when app_id unset
* Fri Jun 02 2023 dmulder@suse.com
- Update to version 0.0.1+git.15.f9a024e:
* Generate unix uid/gid
* himmelblaud: Stubs for NssGroupByName and NssGroups
* himmelblaud: Fix auth failure error message
* himmelblaud: Open socket with permissions for users to read/write
* msal: Fix nssaccountbyname lookup
* himmelblaud: Improve logging
* Include systemd journal logging
* msal: Fix failure parsing user token dict
* Implement simple NssAccountByName
* Implement basic NssAccounts request
* pam: Fix unused variable warning
* himmelblaud: Rewrite the daemon in Rust
* msal: Add a simple rust binding to python msal
* Remove the python daemon in favor of Rust
* Fri May 26 2023 dmulder@suse.com
- Update to version 0.0.1+git.0.56eb9f0:
* himmelblaud: Implement nss lookups in the daemon
* himmelblaud: Allow anyone to r/w the socket
* himmelblaud: Implement simple nss getpwent name
* pam: Remove account allowed and being session impl
* unix_common: UID and GID need not match
* himmelblaud: Improve the debug output
* himmelblaud: Remove stdout debug since logging to journald
* himmelblaud: Log to the systemd journal
* nss: Add the nss module
* Improve directory structure
/usr/lib64/libnss_himmelblau.so.2
Generated by rpm2html 1.8.1
Fabrice Bellet, Sun Aug 10 23:04:37 2025