Skip to content

3.1.6

Choose a tag to compare

View all tags
@dmulder dmulder released this 28 May 21:45
· 258 commits to main since this release
3.1.6
102ee04

What's Changed

Authentication and MFA

  • Added automatic MFA fallback when the MFA method configured in himmelblau.conf is not available for the user account. Himmelblau now retries without forcing that method so Entra ID can use the account’s default available MFA option, preventing repeated password prompts and infinite retry loops. Fixes #1390.
  • Applied the MFA fallback path consistently across enrollment, Hello PIN reauthentication, and password-based authentication flows.
  • Added administrator-visible warning logs when Himmelblau falls back from an unavailable configured MFA method.

Hello, TOTP, and Token Cache Handling

  • Fixed stale Hello-bound TOTP and token cache entries after a Hello PIN change. When a replacement Hello key is provisioned, associated Hello PRT, refresh token, and TOTP secrets are now cleared so the next login can re-enroll cleanly instead of attempting to decrypt data sealed to the old key. Fixes #1393.
  • Extended full Hello cache clearing to remove Hello refresh token and Hello TOTP HSM entries, preventing stale secrets from surviving after the underlying Hello key material has been deleted.
  • Tightened transaction handling during Hello PIN replacement so cache changes are committed only after the provider update succeeds.

Reliability and Networking

  • Added a NetworkManager dispatcher hook that asynchronously restarts himmelblaud.service when real network interfaces go down. This mitigates cases where suspend/resume, dock removal, or network loss could leave PAM waiting indefinitely on a deadlocked daemon. Addresses #1206.
  • The dispatcher hook ignores loopback, container, bridge, tunnel, and other virtual interfaces to avoid unnecessary daemon restarts.

SSH Authentication Compatibility

  • Renamed the packaged SSHD drop-in from himmelblau.conf to 30-himmelblau.conf so it loads before Fedora/RHEL’s 50-redhat.conf. This ensures Himmelblau’s keyboard-interactive SSH authentication settings are applied correctly on those systems. Fixes #1348.
  • Applied the same SSHD drop-in naming convention to Debian packages for consistency across distributions.

Security and Credential Handling

  • Changed HSM PIN credential sealing so the encrypted credential is bound to the TPM but no longer bound to PCR7. This avoids failures caused by Secure Boot certificate changes that would otherwise alter PCR7 and prevent the HSM PIN from unsealing.
  • Added seamless migration from the previous hsm-pin.enc credential to the new hsm-pin-nopcr.enc credential during HSM PIN initialization.
  • Updated systemd service generation to load the new hsm-pin-nopcr.enc credential path.

Desktop Compatibility

  • Added GNOME Shell 50 support for the QR greeter extension, restoring QR prompt handling and security-key image rendering on newer GNOME environments such as Ubuntu 26.04.

Packaging / Build / CI

  • Packaged the new NetworkManager dispatcher script for Debian and RPM-based builds.
  • Bumped the workspace version to 3.1.6.
  • Updated libhimmelblau to 0.8.20.
  • Updated Rust dependencies including ldap3_proto 0.6.2, openssl 0.10.80, rand 0.10.1, and tonic 0.14.6.
  • Added a local ldap3_proto override and updated cargo-vet supply-chain metadata for the backport.
  • Fixed fuzz CI by installing a pinned cargo-fuzz version instead of relying on the previous locked install behavior.

Documentation

  • No dedicated user-facing documentation changes were included in this release.

Known Issues

  • The NetworkManager dispatcher restart is a mitigation for #1206 rather than a full daemon-level deadlock fix. Systems that do not use NetworkManager, or failures not associated with real interface down events, may still require manual recovery.

Full Changelog: 3.1.5...3.1.6

Assets 2
Loading