Skip to content

3.1.7

Latest
Latest

Choose a tag to compare

View all tags
@dmulder dmulder released this 11 Jun 15:53
· 258 commits to main since this release
3.1.7
f4e43ca

What's Changed

Authentication and Device Enrollment

  • Added MFA retry handling for initial device enrollment when Entra rejects a registration token with strong-auth requirements such as AADSTS50072, AADSTS50074, or AADSTS50076.
  • First login and domain join can now continue with an MFA-backed token instead of failing with a generic domain-join error when tenant policy requires MFA for device registration. Fixes #1344.
  • Preserved existing passwordless, FIDO, remote-session, and console password-only policy behavior while forcing MFA only for the enrollment retry path.

Account Resolution, NSS, and PAM

  • Prevented known local-only account probes from being mapped to Entra UPNs or sent to GetCredentialType, including empty names, GDM greeter users, systemd service users, and the pam_unix non-existent-user sentinel.
  • Reduced the risk of Entra pre-authentication throttling and username-enumeration-style probes on large shared-egress deployments, where greeter or boot-time lookups could previously exhaust per-IP limits and disrupt real logins. Refs #1392.
  • Updated NSS, PAM, and CLI lookup paths to treat non-directory usernames as unknown locally instead of attempting cloud authentication.
  • Kept local /etc/passwd users authoritative, so explicitly defined local users still resolve locally even if their names overlap with the ignore list.

Remote Session Policy

  • Removed the hardcoded SSH fallback from password-only remote service detection.
  • SSH remains denied by default through password_only_remote_services_deny_list, but administrators can now intentionally allow SSH password-only handling by removing it from the configured deny list.

Browser SSO

  • Fixed Chrome SSO policy generation by adding the required Chrome Web Store update URL to ExtensionInstallForcelist.
  • This allows managed Chrome deployments to install and update the Himmelblau SSO extension correctly.

SELinux and Service Compatibility

  • Updated the SELinux policy for openSUSE Tumbleweed denials, including additional permissions for Himmelblau task execution paths.
  • Added SELinux allowances needed by Postfix queue-related services to inspect Himmelblau configuration and cache paths.

Packaging / Build / CI

  • Added a GitHub Actions workflow to automate Open Build Service stable-branch submissions for the network:idm/himmelblau package.
  • The OBS workflow validates credentials and required tooling, regenerates service-managed sources, submits changes through a temporary OBS branch, and cleans up failed branch projects.
  • Updated Rust dependencies, including libhimmelblau 0.8.20 to 0.8.22, zbus 5.15 to 5.16, serde_json, serde_with, uuid, hashbrown, rpassword, cc, and pastey.
  • Refreshed cargo-vet supply-chain audits for the updated dependency set.
  • Bumped the workspace release version from 3.1.6 to 3.1.7.

Documentation

  • No user-facing documentation changes were included in this release.

Full Changelog: 3.1.6...3.1.7

Assets 2
Loading