0.9.4

What's Changed

• Entra Id is case insensitive, cache lookup must match by @dmulder in #422

Full Changelog: 0.9.3...0.9.4

0.9.3

What's Changed

• Support CompanionAppsNotification mfa method by @dmulder in #416

Full Changelog: 0.9.2...0.9.3

0.9.2

What's Changed

• Add a QR code to the greeter, remove python deps, and fix tasks startup by @dmulder in #414

QR Code Greeter Instructions

To utilize the new QR code gnome-shell greeter extension, follow the instructions found in the wiki.

Full Changelog: 0.9.1...0.9.2

0.9.1

What's Changed

• Stable 0.9.x backports by @dmulder in #412

Full Changelog: 0.9.0...0.9.1

0.9.0

What's Changed

• Add profile photo fetching by @dmulder in #334
• Rewrite the sso code in Rust by @dmulder in #335
• Entra Id no longer permits SFA enrollment by @dmulder in #338
• Support password changes when demanded by @dmulder in #344
• deps(rust): update rusqlite requirement from ^0.32.0 to ^0.33.0 by @dependabot in #345
• Fix libutf8proc dependency issue on Ubuntu 22.04 by @dmulder in #348
• Fix GOA crash when krb5.conf doesn't include /etc/krb5.conf.d by @dmulder in #352
• Add a span around server initialisation for correct log coalescing by @dmulder in #358
• Use posix attributes synchronized from on-prem AD by @dmulder in #355
• Map the extended attr gidNumber to primary group by @dmulder in #361
• deps(rust): update rand requirement from ^0.8.5 to ^0.9.0 by @dependabot in #350
• deps(rust): update gethostname requirement from 0.5.0 to 1.0.0 by @dependabot in #359
• deps(rust): update lru requirement from ^0.12.3 to ^0.13.0 by @dependabot in #360
• Only the himmelblau-sso package should conflict with intune-portal by @dmulder in #363
• deps(rust): update libnss requirement from 0.8.0 to 0.9.0 by @dependabot in #362
• Implement logon name script mapping by @dmulder in #289
• Add Nix build definitions and a rudimentary NixOS module by @twoolie in #366
• Docs and donations changes by @dmulder in #369
• Various fixes for 0.9.x by @dmulder in #373
• Add a sample himmelblau.conf in docs by @dmulder in #375
• Move the NixOS CI to a different workflow (w/out main) by @dmulder in #376
• Dramatically improve debug logging by @dmulder in #379
• Add apparmor whitelisting for nss mapping cache by @dmulder in #380
• Fetch user profile photo via tasks daemon by @dmulder in #381
• deps(rust): bump cc from 1.2.14 to 1.2.15 by @dependabot in #382
• deps(rust): bump anyhow from 1.0.95 to 1.0.96 by @dependabot in #383
• deps(rust): bump clap from 4.5.30 to 4.5.31 by @dependabot in #384
• deps(rust): bump clap_complete from 4.5.45 to 4.5.46 by @dependabot in #385
• deps(rust): bump libc from 0.2.169 to 0.2.170 by @dependabot in #386
• Resolve migration error real_gidnumber missing by @dmulder in #387
• Ubuntu PAM module configuration to change PIN by @dmulder in #388
• Utilize systemd notify to avoid tasks started fail by @dmulder in #391
• Avoid modifying the cache entries by @dmulder in #392
• Default to request group info via Edge browser by @dmulder in #394
• Isolate the name mapping so it only happens if enabled by @dmulder in #395
• Ensure tasks daemon creates files w/ correct gid by @dmulder in #396
• Properly handle aad error from auth code req by @dmulder in #399
• Document the requirements for app_id by @dmulder in #400
• Provide a group gid fallback for rfc2307 id map by @dmulder in #398

New Contributors

• @twoolie made their first contribution in #366

Full Changelog: 0.8.7...0.9.0

0.9.0-beta.2

What's Changed

• Utilize systemd notify to avoid tasks started fail by @dmulder in #391
• Avoid modifying the cache entries by @dmulder in #392
• Default to request group info via Edge browser by @dmulder in #394
• Isolate the name mapping so it only happens if enabled by @dmulder in #395
• Ensure tasks daemon creates files w/ correct gid by @dmulder in #396

Full Changelog: 0.9.0-beta...0.9.0-beta2

0.9.0-beta

What's Changed

• Add profile photo fetching by @dmulder in #334
• Rewrite the sso code in Rust by @dmulder in #335
• Entra Id no longer permits SFA enrollment by @dmulder in #338
• Support password changes when demanded by @dmulder in #344
• deps(rust): update rusqlite requirement from ^0.32.0 to ^0.33.0 by @dependabot in #345
• Fix libutf8proc dependency issue on Ubuntu 22.04 by @dmulder in #348
• Fix GOA crash when krb5.conf doesn't include /etc/krb5.conf.d by @dmulder in #352
• Add a span around server initialisation for correct log coalescing by @dmulder in #358
• Use posix attributes synchronized from on-prem AD by @dmulder in #355
• Map the extended attr gidNumber to primary group by @dmulder in #361
• deps(rust): update rand requirement from ^0.8.5 to ^0.9.0 by @dependabot in #350
• deps(rust): update gethostname requirement from 0.5.0 to 1.0.0 by @dependabot in #359
• deps(rust): update lru requirement from ^0.12.3 to ^0.13.0 by @dependabot in #360
• Only the himmelblau-sso package should conflict with intune-portal by @dmulder in #363
• deps(rust): update libnss requirement from 0.8.0 to 0.9.0 by @dependabot in #362
• Implement logon name script mapping by @dmulder in #289
• Add Nix build definitions and a rudimentary NixOS module by @twoolie in #366
• Docs and donations changes by @dmulder in #369
• Various fixes for 0.9.x by @dmulder in #373
• Add a sample himmelblau.conf in docs by @dmulder in #375
• Move the NixOS CI to a different workflow (w/out main) by @dmulder in #376
• Dramatically improve debug logging by @dmulder in #379
• Add apparmor whitelisting for nss mapping cache by @dmulder in #380
• Fetch user profile photo via tasks daemon by @dmulder in #381
• deps(rust): bump cc from 1.2.14 to 1.2.15 by @dependabot in #382
• deps(rust): bump anyhow from 1.0.95 to 1.0.96 by @dependabot in #383
• deps(rust): bump clap from 4.5.30 to 4.5.31 by @dependabot in #384
• deps(rust): bump clap_complete from 4.5.45 to 4.5.46 by @dependabot in #385
• deps(rust): bump libc from 0.2.169 to 0.2.170 by @dependabot in #386
• Resolve migration error real_gidnumber missing by @dmulder in #387
• Ubuntu PAM module configuration to change PIN by @dmulder in #388

New Contributors

• @twoolie made their first contribution in #366

Full Changelog: 0.8.7...0.9.0-beta

0.8.7

What's Changed

• Resolve missed auth code redirect by @dmulder in #374

Full Changelog: 0.8.6...0.8.7

0.8.6

What's Changed

• Fix libutf8proc dependency issue on Ubuntu 22.04 - stable-0.8.x by @dmulder in #349
• Fix GOA crash when krb5.conf doesn't include /etc/krb5.conf.d - Stable 0.8.x by @dmulder in #354
• Only the himmelblau-sso package should conflict with intune-portal by @dmulder in #364

Full Changelog: 0.8.3...0.8.6

0.8.3

Impact

Two vulnerabilities were identified in Himmelblau versions 0.7.0 through 0.8.2:

1. Logon Compliance Script Issue: When debug logging is enabled, user access tokens are inadvertently logged, potentially exposing sensitive authentication data.
2. Kerberos CCache Issue: Similarly, Kerberos Ticket-Granting Tickets (TGTs) are logged when debug logging is enabled.

Both issues pose a risk of exposing sensitive credentials, particularly in environments where debug logging is enabled. Both issues are caused by the same underlying issue, and are resolve with a single patch.

Patches

The vulnerabilities have been addressed in Himmelblau version 0.8.3. All users are strongly encouraged to update to this version.

Workarounds

Users unable to update immediately can apply the following mitigations:

1. For the logon compliance script issue, disable the logon_script option in /etc/himmelblau/himmelblau.conf:

   logon_script = 

   Ensure the debug option in the same configuration file is set to false:

   debug = false

   Additionally, avoid using the -d flag when starting the himmelblaud daemon.

2. For the Kerberos CCache issue, disable debug logging globally by:

   • Setting the debug option in /etc/himmelblau/himmelblau.conf to false.
   • Avoiding the -d parameter when starting himmelblaud.

References

• Himmelblau Configuration Documentation
• himmelblau.conf man page
• Himmelblau Daemon man page
• Official Himmelblau Release Notes and Updates

Package filtering

To download the latest packages for your distro, you can filter them here.