-
Notifications
You must be signed in to change notification settings - Fork 8
Home
Welcome to the Himmelblau wiki!
The following distributions are currently supported:
Distribution | Version |
---|---|
openSUSE | openSUSE Tumbleweed |
The following distributions have experimental packages available, but are not currently supported:
Distribution | Version |
---|---|
openSUSE | openSUSE Leap 15.4+ |
SUSE Linux Enterprise | 15 SP4+ |
Himmelblau provides the necessary tools and utilities to enable authentication with Azure Entra ID.
On openSUSE Tumbleweed, refresh the repos and install himmelblau:
sudo zypper ref && sudo zypper in himmelblau nss-himmelblau pam-himmelblau
On openSUSE Leap and SUSE Linux Enterprise, add the experimental repo and install himmelblau:
# For Leap 15.6 or SUSE Linux Enterprise 15 SP6:
sudo zypper ar https://download.opensuse.org/repositories/network:/idm/15.6/network:idm.repo
# For Leap 15.5 or SUSE Linux Enterprise 15 SP5:
sudo zypper ar https://download.opensuse.org/repositories/network:/idm/15.5/network:idm.repo
# For Leap 15.4 or SUSE Linux Enterprise 15 SP4:
sudo zypper ar https://download.opensuse.org/repositories/network:/idm/15.4/network:idm.repo
Then refresh the repos and install himmelblau:
sudo zypper ref && sudo zypper in himmelblau nss-himmelblau pam-himmelblau
To enable authentication, it is imperative to configure the domains
and pam_allow_groups
options in the /etc/himmelblau/himmelblau.conf
file. These settings determine which domains and users or groups are granted access to the host.
[global]
domains = contoso.onmicrosoft.com
pam_allow_groups = [email protected],[email protected]
Note: pam_allow_groups
is no longer a required parameter as of Himmelblau 0.6.0. Leaving pam_allow_groups
unset now permits all users to authenticate.
Note: On Ubuntu, you should additionally set use_etc_skel
to true
and configure home_attr
and home_alias
to match (I recommend using the CN
attribute). These parameters are necessary, otherwise Ubuntu's snaps will fail to execute.
[global]
home_attr = CN
home_alias = CN
use_etc_skel = true
Enable and start the himmelblaud
and himmelblaud-tasks
daemons. The himmelblaud
daemon communicates with Entra ID and facilitates device, Hello PIN enrollment, and authentication. The himmelblaud-tasks
daemon is responsible for authenticated tasks, such as creating the users home directory.
systemctl enable himmelblaud himmelblaud-tasks
systemctl start himmelblaud himmelblaud-tasks
It is recommended that the Name Service Cache daemon (nscd
) be disabled.
The nscd daemon caches name service lookups, including user and group information obtained from sources like /etc/passwd
and /etc/group
. When integrating with Azure Entra ID, it's important to ensure that the most up-to-date user and group information is consistently retrieved from the directory. Disabling nscd helps avoid potential inconsistencies that may arise from cached data not reflecting changes made in Azure Entra ID.
systemctl stop nscd
systemctl disable nscd
systemctl mask nscd
Configuring NSS (Name Service Switch) is essential in integrating Linux hosts with Azure Entra ID using Himmelblau. By configuring NSS to include himmelblau
alongside sources such as compat
, systemd
, etc., the system knows to query Azure Entra ID for user and group information.
The NSS configuration file is found at /etc/nsswitch.conf
. The himmelblau
NSS module name should be appended to the passwd
, group
and shadow
entries.
passwd: compat systemd himmelblau
group: compat systemd himmelblau
shadow: compat systemd himmelblau
PAM enables flexible authentication mechanisms by allowing administrators to define authentication policies through modular components. Configuring PAM for Azure Entra ID that users can authenticate using their Azure Entra ID credentials. By configuring PAM to include the Himmelblau module, authentication requests are directed to Azure Entra ID.
To configure Himmelblau for PAM on openSUSE Tumbleweed, simply use pam-config:
pam-config --add --himmelblau
Check the pam files afterward to ensure the configuration was successful.
Otherwise configure pam manually:
In /etc/pam.d/common-auth
, ensure that the pam_himmelblau.so
module is placed after other authentication methods (such as pam_unix.so
). Ensure that other authentication modules are not set to required
, as this could cause authentication to fail prior to PAM communicating with Entra ID. Include the ignore_unknown_user
option for Himmelblau. Ensure pam_deny.so
is placed after all modules, so that unknown users are not implicitly allowed.
auth required pam_env.so
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_himmelblau.so ignore_unknown_user
auth required pam_deny.so
Configure /etc/pam.d/common-account
in a similar manner.
account [default=1 ignore=ignore success=ok] pam_localuser.so
account sufficient pam_unix.so
account sufficient pam_himmelblau.so ignore_unknown_user
account required pam_deny.so
In /etc/pam.d/common-session
, set pam_himmelblau.so
as an optional module.
session optional pam_systemd.so
session required pam_limits.so
session optional pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_himmelblau.so
session optional pam_env.so
A Windows Hello PIN offers a secure and convenient authentication method by leveraging strong encryption, local authentication capabilities, and integration with Entra ID. By setting a PIN on a soft TPM object and unlocking it securely, users can authenticate to their devices and Azure services with confidence in the security of their credentials.
If you're coming from using Active Directory, you're familiar with a device join. In Azure Entra ID, enrollment (device join) is performed by individual users who can enroll a maximum of 50 devices each (by default). Instead of being performed as an administrative action, enrollment happens at authentication time, and the first user to authenticate to a device becomes the owner of the device in Entra ID. Subsequent users who are authorized may authenticate to the device, but will not own the device. In a workplace setting, administrators would be responsible for configuring the himmelblau.conf file, as well as pam and nss, but enrollment would be performed by the user when they receive the device.
opensuse-himmelblau login: [email protected]
Password:
Please type in the code displayed on your authenticator app from your device:
Code:
Set up a PIN
A Hello PIN is a fast, secure way to signin to your device, apps, and services.
New PIN:
Confirm PIN:
Have a lot of fun...
[email protected]@opensuse-himmelblau:~>
To enroll your device in Entra ID:
- Login:
- At the login prompt, enter your username in the format [email protected].
- Enter your password when prompted.
- MFA:
- You'll be prompted to provide multi-factor authentication, using your prefered method.
- Your device is now enrolled in Entra ID.
- Set up a PIN:
- You'll be prompted to set up a PIN for Windows Hello. This PIN serves as a fast and secure way to sign in to your device, apps, and services.
- Your PIN must be between 6 and 32 characters in length.
- Enter a new PIN of your choice when prompted.
- Confirm the new PIN by entering it again.
- Completion:
- You are now enrolled in Windows Hello PIN authentication.
Ensure that you choose a strong and memorable PIN to maintain the security of your device. Additionally, keep your PIN confidential and do not share it with others to prevent unauthorized access to your device and associated services. Your PIN is unique to this host, and will not effect authentication to other hosts and Azure services.
You can now use your newly set up PIN to authenticate and access your device.