Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: pam-himmelblau | Distribution: openSUSE Tumbleweed |
Version: 0.7.9+git.0.93655d2 | Vendor: openSUSE |
Release: 1.1 | Build date: Thu Dec 5 15:18:37 2024 |
Group: Productivity/Networking/Security | Build host: reproducible |
Size: 862744 | Source RPM: himmelblau-0.7.9+git.0.93655d2-1.1.src.rpm |
Packager: http://bugs.opensuse.org | |
Url: https://github.com/himmelblau-idm/himmelblau | |
Summary: Azure Entra Id authentication PAM module |
Himmelblau is an interoperability suite for Microsoft Azure Entra Id, which allows users to sign into a Linux machine using Azure Entra Id credentials.
GPL-3.0-or-later
* Thu Dec 05 2024 david.mulder@suse.com - Update to version 0.7.9+git.0.93655d2: * Version 0.7.9 * Update to the latest libhimmelblau * Version 0.7.8 * Add a himmelblau.conf man page, and package the man pages * Add DAG flow as a fallback for MFA * Mon Dec 02 2024 david.mulder@suse.com - Update to version 0.7.7+git.0.b48d0bb: * Version 0.7.7 * Fix CVE-2024-11738: rustls network-reachable panic in `Acceptor::accept` (bsc#1233949). * Version 0.7.6 * Enable module for utf8proc-devel in Rocky8 * Mon Nov 25 2024 david.mulder@suse.com - Update to version 0.7.5+git.0.8f421b0: * Version 0.7.5 * Remove the org.samba.himmelblau dbus service * Mon Nov 25 2024 david.mulder@suse.com - Update to version 0.7.4+git.0.d1291c6: * Version 0.7.4 * Fix missing dependency utf8proc_NFKC_Casefold * Package Siemens Linux Entra SSO for Himmelblau * Add SLE15SP6 packaging * Add Fedora 41 packaging * Add Fedora Rawhide packaging * The tasks daemon needs /etc/groups write access * Version 0.7.3 * Increase the cache timeout to 5 minutes * Always fetch and cache the graph url * Mon Nov 25 2024 david.mulder@suse.com - Update to version 0.7.2+git.0.c76ac0e: * Version 0.7.2 * Hello support depends on openssl3 * Version 0.7.1 * Fix sshd rpm depends * Resolve RPM dependencies automatically * Revert "deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4" * Add openSUSE Tumbleweed packaging * Fix RPM packaging placement of systemd files * Remove the failed attempt at debian packaging * Add stable-0.7.x to CI workflows * deps(rust): update utoipa requirement from 4.0.0 to 4.2.0 * deps(rust): update hashbrown requirement from 0.14.0 to 0.15.1 * Remove missing feature causing warnings * deps(rust): update notify-debouncer-full requirement from 0.3 to 0.4 * Specify scopes when making an SSO request * Implement logon script for ensuring compliance * Option for adding Entra Id users to local groups * Configure EL sshd with ChallengeResponseAuthentication yes * Add rocky 8 packaging * Add RPM packaging for EL9 * Modify Ubuntu defaults to fix snaps * Resolve Libreoffice fails to start on Ubuntu * Minor formatting fix * Revert RwLock -> Arc<Mutex> change in idmap * Ignore broker scopes requests for now * Ensure every file specifies the proper license * postinst should not fail on patch or apparmor update * Install pam module to additional location via make * Add sshd config to the Makefile * Don't use sudo in postinst/postrm scripts for deb * PAM should be placed first in the stack * Add the libutf8proc-dev dep for deb * Match the object ID of the fake user and group * Make it possible to stop the broker service * Move sshd config into it's own debian package * Allow the graph to start w/out network * Add hello_pin_min_length conf option * Don't attempt SFA fallback if AADSTSError * Have libhimmelblau handle the DAG fallback * Add a warning to user that SSH needs restarted * Ensure local users are ignored when CN mapping * Ensure DAG is rejected if lifetime expires * Rework the poll logic to resolve timeout issues * Add a sshd soft depends for the deb package * CN name mapping in PAM and NSS * Make CN an optional home directory attribute * Remove the sssd build dependencies * Configuration patches for himmelblau on Debian * Simplify PAM get_item_string calls * Bug in pam which needs defended against * Fix deb build by adding Broker service file * WIP: Install Ubuntu unix-chkpwd apparmor deps * Ensure make install places pam_himmelblau correctly * Add Ubuntu pam-config for pam_himmelblau * Never return Err(PAM_SUCCESS) from get_user * Never return the Pam result from get_user() * Revert "Speed up nss requests w/out auth attempt" * Speed up nss requests w/out auth attempt * Fix some broker responses * Fixes for the dbus broker * Attempt to fix the cargo version in launchpad build * Makefile typo fixes * Version 0.7.0 * Add libdbus-1-dev dep * Improve the README installation instructions * Add `make install` command * Improve Debian/Ubuntu install instructions * Fix tag push permissions for tag-version workflow * Add a version check script * Remove the rustc dependency, breaking rustup * Add a debug option to the config * DBus requires that the service file match the name * Add a pam option for the OpenSSH 2876 workaround * Update to the latest libhimmelblau * Tue Oct 22 2024 david.mulder@suse.com - Update to version 0.6.14+git.0.bbda0b6: * Version 0.6.14 * postinst should not fail on patch or apparmor update * Version 0.6.13 * Don't use sudo in postinst/postrm scripts for deb * Version 0.6.12 * PAM should be placed first in the stack * Match the object ID of the fake user and group * Version 0.6.11 * Move sshd config into it's own debian package * Version 0.6.10 * Allow the graph to start w/out network * Add hello_pin_min_length conf option * Version 0.6.9 * Don't attempt SFA fallback if AADSTSError * Have libhimmelblau handle the DAG fallback * Add a warning to user that SSH needs restarted * Version 0.6.8 * Ensure local users are ignored when CN mapping * Ensure DAG is rejected if lifetime expires * Version 0.6.7 * Rework the poll logic to resolve timeout issues * Version 0.6.6 * Add a sshd soft depends for the deb package * CN name mapping in PAM and NSS * Version 0.6.5 * Make CN an optional home directory attribute * Version 0.6.4 * Add Ubuntu pam-config for pam_himmelblau * Configuration patches for himmelblau on Debian * Version 0.6.3 * Bug in pam which needs defended against * Version 0.6.2 * Never return the Pam result from get_user() * Correct installation directory of the deb pam module * Makefile typo fixes * Add libdbus-1-dev dep * Version 0.6.1 * Debian build requires libdbus-1-dev * Wed Oct 02 2024 david.mulder@suse.com - Update to version 0.6.0+git.0.b8dae18: * Attempt to fix the cargo version in launchpad build * Add branch stable-0.6.x to the workflows * Install the pam module to the proper location * Update README.md * Add a debug option to the config * Add a pam option for the OpenSSH 2876 workaround * Update to the latest libhimmelblau * Authorize all users when pam_allow_groups is empty * Fix clippy warnings * Fix pam echo not displayed via ssh * Fix pam failure to register Pin following mfa poll * Fork from kanidm * Version 0.6.0 * Add cargo deb build * Version 0.5.3 * Improve the README installation instructions * Add `make install` command * Improve Debian/Ubuntu install instructions * Fix tag push permissions for tag-version workflow * Version 0.5.2 * Add a version check script * Version 0.5.1 * Remove the rustc dependency, breaking rustup * Added Debian packaging workflow and files * Thu Sep 12 2024 William Brown <william.brown@suse.com> - explicitly depend on cargo to pull in latest compiler revision * Wed Sep 04 2024 david.mulder@suse.com - Update to version 0.5.0+git.0.22f84f0: * Update workflows for 0.5.x * Update Debian dependencies in README.md * Compilation fails on Ubuntu, missing ldb header * Fix base32 with kandim updates * deps(rust): update base32 requirement from ^0.4.0 to ^0.5.0 * deps(rust): update scim_proto requirement from ^0.2.1 to ^1.3.2 * deps(rust): update bindgen requirement from 0.69.4 to 0.70.1 * Fix CI failures caused by cargo 1.80.1 * Update to libhimmelblau version 0.2.9 * deps(rust): update rusqlite requirement from ^0.31.0 to ^0.32.0 * deps(rust): update tonic requirement from 0.11.0 to 0.12.0 * update libnss requirement from 0.7.0 to 0.8.0 * Switch to using libhimmelblau * himmelblaud stops working after suspend * Update required packages for tumbleweed * Disable the SFA fallback by default * Fix ConsolidatedTelephony MFA method * Use the group ID for the name if no display name * Use latest msal with MFA fixes * PhoneAppNotification is not a cred request algorithm * The polling_interval is in milliseconds, not seconds * OneWaySMS is additionally a valid OTP * Relicensing as GPL3, as SSSD source inclusion requires * Utilize the graph code in msal * config: Remove comments about experimental policy enforement * Remove the experimental policy code from the id provider * Fix a refresh token leak in debug from msal * Correct README details * Always normalize idmap upn inputs * Add video links to the README * Minor updates to the Contributing section * Add a Installation section to the README * Add the new SSSD idmap build deps to the README * Add a section about donations * Include the Samba Technical matrix channel * Add github workflows for the 0.4.x branch * Version 0.5.0 bump for main * Mon Jul 15 2024 david.mulder@suse.com - Update to version 0.4.3+git.2.6379abc: * Specifically use msal 0.2.6 * Version 0.4.3 * update libnss requirement from 0.7.0 to 0.8.0 * himmelblaud stops working after suspend * Version 0.4.2 * Fix ConsolidatedTelephony MFA method * Wed May 29 2024 david.mulder@suse.com - Update to version 0.4.1+git.0.41dd0dc: * Version 0.4.1 * Use latest msal with MFA fixes * PhoneAppNotification is not a cred request algorithm * The polling_interval is in milliseconds, not seconds * OneWaySMS is additionally a valid OTP * Relicensing as GPL3, as SSSD source inclusion requires * Wed May 22 2024 david.mulder@suse.com - Update to version 0.4.0+git.4.63e3704: * Fix a refresh token leak in debug from msal * Wed May 22 2024 david.mulder@suse.com - Update to version 0.4.0+git.2.7b57f5e: * Always normalize idmap upn inputs * Mon May 20 2024 david.mulder@suse.com - Update to version 0.4.0+git.0.69b64fe: * Add github workflows for the 0.4.x branch * Do not append to pam_allow_groups automatically * Pam Allow Groups must be specified by Object ID * Request the correct resource and permissions * Improve error output on group lookup failure * When faking a uuid for NSS, use a random uuid * Fix clippy warning about inefficient use of clone() * Remove the initial uid hack, use name mapping * Don't stop an MR based on a clippy warning * Update Kanidm tracking * Modify CI workflows to handle idmap build * Add CI job for cargo test * Test the new and legacy idmapping * Ensure duplicate providers are not started * Use the SSSD Idmap code in Himmelblau * Specify in conf that pam_allow_groups is required * Remove code duplication in Hello PIN auth * Fix Device authentication failed after enrollment * Update the base64urlsafedata version * Update README.md with Matrix contact info * Version 0.4.0 * Wed May 15 2024 david.mulder@suse.com - Update to version 0.3.4+git.0.01d099f: * Version 0.3.4 * Only remove cached user if it doesn't exist * Use existing user token at refresh * Always use the spn of the user for nss requests * Generate a fake user token to please SSH * Fix aad-tool to handle MFA * Fix lib_crypto version * Fix user dropping from NSS * Fri May 10 2024 david.mulder@suse.com - Himmelblau requires libopenssl-3 for PRT messages. * Thu May 09 2024 david.mulder@suse.com - Update to version 0.3.3+git.0.c2197d7: * Correct the debug messages for Hello skip * Version 0.3.3 * Allow disabling Hello PIN auth for enrolled users * Add an option for disabling Windows Hello * Remove the TODO doc from stable branch * config: Remove comments about experimental policy enforement * Tue May 07 2024 david.mulder@suse.com - Update to version 0.3.2+git.0.de9f5b5: * Version 0.3.2 * Fix Hello PIN Authentication error, no nonce * Mon Apr 29 2024 david.mulder@suse.com - Update to version 0.3.1+git.0.359a8d0: * Add github workflows for the 0.3.x branch * Fallback to SFA first if MFA fails Browse files * deps(rust): update libnss requirement from 0.6.0 to 0.7.0 * deps(rust): update webauthn-rs-proto requirement from 0.4.8 to 0.5.0 * Fix deadlock caused by client write lock * Add rid idmapping (replacing existing idmap) * Additional debug for Hello auth * Make proto Cargo.toml a physical file * Push the clippy arg count limit a little higher * Version 0.3.0 * Windows Hello PIN implementation * deps(rust): update hostname requirement from ^0.3.1 to ^0.4.0 * Enable actions on stable branches * Prevent dependabot from updating opentelemetry * Revert "deps(rust): update opentelemetry requirement from 0.20.0 to 0.22.0 (#93)" * deps(rust): update reqwest requirement from ^0.11.18 to ^0.12.2 (#95) * deps(rust): update lru requirement from ^0.8.0 to ^0.12.3 (#94) * deps(rust): update opentelemetry requirement from 0.20.0 to 0.22.0 (#93) * deps(rust): update num_enum requirement from ^0.5.11 to ^0.7.2 (#92) * deps(rust): update tonic requirement from 0.10.2 to 0.11.0 (#91) * Use the Kanidm MFA patches * deps(rust): update libnss requirement from 0.5.0 to 0.6.0 (#90) * deps(rust): update tracing-opentelemetry requirement (#89) * deps(rust): update rusqlite requirement from ^0.28.0 to ^0.31.0 (#88) * deps(rust): update clap requirement from ^3.2 to ^4.5 (#87) * deps(rust): update kanidm-hsm-crypto requirement from ^0.1.6 to ^0.2.0 (#86) * Update dependabot.yml * Add missing db dependency on sketching * Set the workspace resolver version to 2 * Init the kanidm submodule during workflows * Ignore clippy blocks_in_conditions warning in daemon * Add build/clippy/dependabot_automerge workflows * deps(rust): update opentelemetry-otlp requirement from 0.13.0 to 0.15.0 * deps(rust): update opentelemetry_sdk requirement from 0.20.0 to 0.22.1 * deps(rust): update base64 requirement from ^0.21.5 to ^0.22.0 * deps(rust): update notify-debouncer-full requirement from 0.1 to 0.3 * deps(rust): update systemd-journal-logger requirement * Create dependabot.yml * Add MFA capabilities * Update to the latest Kanidm reqs * Always force MFA when enrolling the device * Update to latest msal * Thu Feb 29 2024 dmulder@suse.com - Himmelblau provides the features found in aad-auth packages from other distros. * Tue Feb 20 2024 dmulder@suse.com - Update to version 0.2.0+git.4.904b915: * Update to latest msal * Version 0.2.0 * Himmelblau now authenticates only to configured domains * Remove reference to python-msal dep in README * Use the external MSAL crate for auth * Rename msal in prep for external msal crate * msal: Remove python msal bindings * msal: Rust msal * Point Cargo.toml to new project home * config: Write domain join to server specific config * idprovider: Invalidate cached user if PRT req fails * idprovider: Pass the keystore to the auth function * Update daemon from kanidm * test: Add a pause to ensure tasks daemon sees himmelblau * Update kanidm submodule * config: Include domain sections in configured domains * msal: Add acquire_token_by_refresh_token * enrollment: Authentication fixes * tests: Create the hsm-pin directory * idprovider: Add domain join debug * cargo: Use relative paths and remove most symlinks * idprovider: Allow group search when device is authenticated * msal: Move the application reqs from misc to msal::application * msal: Move user reqs from misc to msal::user * Remove duplicates from allow_groups during enrollment * Remove device enrollment from TODO * Implement Device enrollment * enrollment: Add the nonce service request * enrollment: Add enrollment service discovery * Implement ConfidentialClientApplication for enrollment * daemon: Fix inverted logic on cache dir check * nss: Use upstream nss package * idprovider: Provider auth needs to point to just the host * config: Consistently use the config file provided to the daemon * cargo: Use relative paths and remove most symlinks * clippy: Add kanidm's clippy config * config: Only check for tenant_id, authority, graph if necessary * Update README.md * Update version to 0.1.2 * config: Fix typos in the config file * Make most params to acquire_token_interactive optional * Config can take defaults * cli: Add missing cli opt file * cli: Improve aad-tool options and interface * Update README.md * tests: Fix tasks daemon name typo * Remove MFA from TODO * Fri Dec 22 2023 dmulder@suse.com - Update to version 0.1.1+git.10.4aa76b7: * daemon: Fix inverted logic on cache dir check * nss: Use upstream nss package * idprovider: Provider auth needs to point to just the host * config: Consistently use the config file provided to the daemon * cargo: Use relative paths and remove most symlinks * clippy: Add kanidm's clippy config * config: Only check for tenant_id, authority, graph if necessary * Correct the cargo version * Mon Nov 13 2023 dmulder@suse.com - Update to version 0.1.1+git.0.6d2f645: * config: Remove comments about experimental policy enforement * config: Fix typos in the config file * Tue Sep 26 2023 Jan Engelhardt <jengelh@inai.de> - Reduce size of expanded scriptlets by reducing %service_* calls - Wrap descriptions * Thu Sep 14 2023 david.mulder@suse.com - Update to version 0.1.0+git.2.2391ac0: * Update version to 0.1.0 * Update the README * idprovider: Fix mixed case auth failure * daemon: Port daemon changes from kanidm * provider: Skip provider init on silent auth and offline * daemon: Run himmelblaud as non-root dynamic user * Tue Sep 12 2023 david.mulder@suse.com - Update to version 0.0.4+git.50.112df77: * Always match DAG where present * Prohibit authentication with changing IDs * Fri Sep 08 2023 david.mulder@suse.com - Update to version 0.0.4+git.42.d641c8b: * Run cargo fmt and cargo clippy * Implement DeviceAuthorizationGrant for MFA * test: Initialize the pam_allow_groups with users * Use new pam state machine in himmelblau * Remove the non-functional device enrollment * TODO: New details regarding MS auth cache * daemon: Implement pam allow groups * Code rearrangement * Thu Aug 10 2023 dmulder@suse.com - Update to version 0.0.4+git.30.26c26e7: * aad-tool: Disable enrollment by default * provider: Fetch GECOS from old token on silent acquire * msal: Add bindings for device auth flow * Add debug for local user ignore * provider: Only retry auth if we're sure group read was requested * provider: Provide user token refresh * provider: Cause unix_group_get to respond with BadRequest * provider: Implement provider_authenticate * Tue Aug 08 2023 dmulder@suse.com - Update to version 0.0.4+git.9.a7c5ac2: * osc breaks with workspace errors using symlinks * gp: Disable MDM policies by default * Mon Aug 07 2023 dmulder@suse.com - Update to version 0.0.4+git.3.b500f1f: * Update serde version * Update version to 0.0.4 * Only build necessary bits of kanidm proto * Add cache operations to daemon and aad-tool * tests: Include local cache of rust deps * cache: Use the kanidm cache backend * Mon Jul 31 2023 dmulder@suse.com - Update to version 0.0.3+git.10.761b4d2: * gp: Apply chromium policies * gp: Implement Group Policy object listing * test: Fix build test failure * tests: Return the correct error code from tests * test: Separate project build from docker build * tests: Deploy config when testing * Tue Jul 18 2023 dmulder@suse.com - Update to version 0.0.3+git.3.f0883b1: * nss: Fix misaligned pointer dereference errors * Fix code links * Mon Jul 17 2023 dmulder@suse.com - Update to version 0.0.3+git.1.e6847eb: * Revert "nss: Use kanidm nss code" * Update lib versions to match package version * Shallow clone kanidm for pam/nss * tests: Fix tar recursion * Fri Jul 14 2023 dmulder@suse.com - Update to version 0.0.2+git.22.1c3ce4b: * Remove symlinks and just point to kanidm sources * nss: Use kanidm nss code * Add submodule commands to main Makefile * pam: Use kanidm pam code, glue into himmelblau * TODO: Only auth to configured domains * Mon Jul 10 2023 dmulder@suse.com - Update to version 0.0.2+git.15.d42b114: * aad-tool: Enroll via the daemon * config: Add func for requesting configured socket path * aad-tool: Improve enroll options * Mon Jul 10 2023 dmulder@suse.com - Update to version 0.0.2+git.11.91df240: * daemon: Add a systemd service * daemon: Don't request group read scope if using Intune * TODO: Mention the work needed for the cache * README: Include homedir creation instructions * daemon: If auth fails, indicate the user * Fri Jul 07 2023 dmulder@suse.com - Update to version 0.0.2+git.6.de1afd6: * test: Ensure invalid users aren't cached * test: Skip getent group tests failing due to nss issue * tests: Add nss tests * tests: Test pam auth * msal: Allow fetching auth url * Wed Jun 28 2023 dmulder@suse.com - Update to version 0.0.2+git.0.5bfbedd: * cache: Make the cache persistent * TODO: Cannot fudge an initial nss request * Use tracing for debug instead of log * aad-tool: Fix some build warnings * aad-tool: Add TODO comments regarding enrollment issues * aad-tool: Always use interactive enrollment * fix readme * aad-tool: Save the device_id after enrollment * aad-tool: Cannot enroll in Intune Portal directly * aad-tool: Parse the enrollment response * aad-tool: Add a enroll command for Azure AD device * memcache: Only append existing group member if missing * himmelblaud: Fix login when Intune errors on group read * memcache: Create a memcache for user and group caching * TODO: Group memberships * TODO: NSS requests via GET reqs * config: Include default for authority_host * config: Specify constants for defaults * Cleanup the build depencencies * TODO: Fix the headings * TODO: Add major reqs section * Cause the odc provider to supply the authority_host * TODO: Use tracing module * Include offline logon in todo list * Add a TODO list * Discover the tenant_id in the same manner as Intune * himmelblaud: Debug for unknown user/group * himmelblaud: Fix failure to cache user * himmelblaud: Pam Allowed and Sessions stubs * himmelblaud: Implement NssGroupByGid and NssAccountByUid * himmelblaud: Implement group lookups * Include the gecos in the mem cache * Use config for shell, homedir, uid range, tenant * Improve Developer Readme * config: Config should not default app_id * Remove invalid comment * himmelblaud: Return with failure without tenant_id * config: Move the config to unix_common module * himmelblaud: Make the socket path configurable * himmelblaud: Use Intune portal when app_id unset * Fri Jun 02 2023 dmulder@suse.com - Update to version 0.0.1+git.15.f9a024e: * Generate unix uid/gid * himmelblaud: Stubs for NssGroupByName and NssGroups * himmelblaud: Fix auth failure error message * himmelblaud: Open socket with permissions for users to read/write * msal: Fix nssaccountbyname lookup * himmelblaud: Improve logging * Include systemd journal logging * msal: Fix failure parsing user token dict * Implement simple NssAccountByName * Implement basic NssAccounts request * pam: Fix unused variable warning * himmelblaud: Rewrite the daemon in Rust * msal: Add a simple rust binding to python msal * Remove the python daemon in favor of Rust * Fri May 26 2023 dmulder@suse.com - Update to version 0.0.1+git.0.56eb9f0: * himmelblaud: Implement nss lookups in the daemon * himmelblaud: Allow anyone to r/w the socket * himmelblaud: Implement simple nss getpwent name * pam: Remove account allowed and being session impl * unix_common: UID and GID need not match * himmelblaud: Improve the debug output * himmelblaud: Remove stdout debug since logging to journald * himmelblaud: Log to the systemd journal * nss: Add the nss module * Improve directory structure
/usr/lib64/security/pam_himmelblau.so
Generated by rpm2html 1.8.1
Fabrice Bellet, Sat Dec 14 00:58:36 2024