Skip to content

2.3.12

Choose a tag to compare

View all tags
@dmulder dmulder released this 01 Jun 20:30
· 831 commits to main since this release
2.3.12
9d56c6f

What's Changed

Security and Credential Handling

  • Changed encrypted HSM PIN credentials so they are no longer sealed to TPM PCR7. This avoids authentication breakage when Secure Boot certificate updates change PCR7 values, while still using systemd credential encryption with host/TPM-backed protection where available.
  • Added automatic migration from the previous hsm-pin.enc credential to the new hsm-pin-nopcr.enc credential. Existing installations should migrate without manual PIN regeneration.
  • Updated the default encrypted HSM PIN path and generated systemd service files to use hsm-pin-nopcr.enc.

Authentication and Login Compatibility

  • Fixed SSH login support on Fedora and RHEL systems by renaming the packaged SSHD configuration drop-in to 30-himmelblau.conf, ensuring it is read before Red Hat’s default 50-redhat.conf. This restores Himmelblau’s keyboard-interactive authentication behavior where the distro default disabled it. Fixes #1348.
  • Updated the QR greeter extension to support GNOME Shell 49 and 50, including Ubuntu 26.04 environments using GNOME Shell 50. This allows FIDO/security-key prompts and QR-related greeter rendering to work on newer GNOME releases.
  • Enabled the QR greeter extension for the GNOME unlock dialog in addition to GDM, improving consistency between initial login and unlock flows.

Packaging / Build / CI

  • Updated Debian and RPM himmelblau-sshd-config package assets to install the SSHD drop-in as 30-himmelblau.conf.
  • Pinned cargo-fuzz to version 0.13.1 in fuzzing workflows to avoid CI failures caused by installing an incompatible or broken latest release.
  • Bumped the workspace version to 2.3.12.
  • Updated Rust dependencies, including libhimmelblau 0.8.20, tonic 0.14.6, ldap3_proto 0.7.1, openssl 0.10.80, openssl-sys 0.9.116, rand 0.8.6, rustls-webpki 0.103.13, and related transitive packages.
  • Added a compatibility override so existing code depending on ldap3_proto 0.6.2 can re-export the updated 0.7.x implementation without broader source changes.
  • Refreshed cargo-vet and supply-chain audit metadata for the updated dependency set.

Documentation

  • Corrected the example himmelblau.conf to document domain instead of the obsolete or misleading domains setting.
  • Removed invalid domain-specific configuration examples from himmelblau.conf.example, reducing the chance that administrators copy unsupported configuration blocks.

Full Changelog: 2.3.11...2.3.12

Assets 2
Loading