Skip to main content
Himmelblau reads its configuration from /etc/himmelblau/himmelblau.conf. The file uses INI-style syntax. All options described on this page belong to the [global] section, which applies system-wide. You can override domain-specific options (marked domain-specific below) in a per-domain section such as [domain.example.com].

File location

/etc/himmelblau/himmelblau.conf

Format

[global]
# Applies to all domains unless overridden below.
domain = example.com
pam_allow_groups = f3c9a7e4-7d5a-47e8-832f-3d2d92abcd12

[domain.example.com]
# Overrides for example.com only.
pam_allow_groups = 5ba4ef1d-e454-4f43-ba7c-6fe6f1601915

Full example

[global]
domain = example.com
app_id = d023f7aa-d214-4b59-911d-6074de623765
pam_allow_groups = f3c9a7e4-7d5a-47e8-832f-3d2d92abcd12

# User and group mapping
id_attr_map = name
idmap_range = 200000-2000200000
home_prefix = /home/
home_attr = uuid
home_alias = spn
shell = /bin/bash

# Authentication
enable_hello = true
enable_hello_totp = false
hello_pin_min_length = 6
hello_pin_retry_count = 3
enable_sfa_fallback = false
allow_console_password_only = true

# Security
hsm_type = tpm_bound_soft_if_possible
selinux = true

Core settings

domain
string
required
The primary Azure Entra ID domain name used for authentication. This value should match the domain portion that users enter when signing in (for example, the domain part of their UPN).In most cases this is the primary domain of your Entra ID tenant. If your organization uses multiple verified domains or aliases, choose the one your users actually sign in with.If not specified, the domain is extracted from the UPN of the first user to authenticate and looked up in Entra ID.Default: extracted from the first user’s UPN.Example: domain = example.com
app_id
string
The Azure Entra ID application (client) ID used by Himmelblau for directory operations such as reading extended attributes (for example, the gidNumber attribute used in RFC 2307 idmapping).If logon_token_app_id is not set, this application ID is also used when requesting access tokens for the user logon script.In the Azure Portal for the application corresponding to app_id, ensure that the redirect URI himmelblau://Himmelblau.EntraId.BrokerPlugin is enabled under Mobile and desktop applications in the Authentication section.Default: none (domain-specific).Example: app_id = d023f7aa-d214-4b59-911d-6074de623765
join_type
enum
default:"join"
Specifies whether the system should join or register with Microsoft Entra ID.Accepted values: join, register.Example: join_type = register
pam_allow_groups
string
A comma-separated list of Entra ID users and groups permitted to access the system. Users should be specified by UPN. Groups must be specified using their Object ID GUID — group names are not guaranteed to be unique in Entra ID and cannot be used.If not set, all Entra ID users are permitted to authenticate. Domain-specific.Default: all users permitted.Example: pam_allow_groups = f3c9a7e4-7d5a-47e8-832f-3d2d92abcd12,admin@example.com

User and group mapping

home_prefix
string
default:"/home/"
The path prefix used when constructing user home directories. Domain-specific.Example: home_prefix = /home/entra/
home_attr
enum
default:"uuid"
The attribute used to name the user’s home directory. Domain-specific.Accepted values:
  • uuid — directory is named by the user’s Entra ID object UUID
  • spn — directory is named by the user’s Service Principal Name (UPN)
  • cn — directory is named by the user’s Common Name
Example: home_attr = uuid
home_alias
enum
default:"spn"
The attribute used to create a symlinked alias pointing to the user’s home directory. Domain-specific.Accepted values: uuid, spn, cn.Example: home_alias = spn
shell
string
default:"/bin/bash"
The default login shell assigned to users at sign-in. Domain-specific.Example: shell = /bin/zsh
id_attr_map
enum
default:"name"
Specifies how UID and GID values are derived for Entra ID users and groups.Accepted values:
  • name — map by object name (recommended for most deployments)
  • uuid — map by object UUID
  • rfc2307 — use uidNumber/gidNumber attributes synchronized from an on-premises Active Directory instance (recommended when on-prem sync is in use)
Example: id_attr_map = name
idmap_range
string
default:"200000-2000200000"
The range of UID and GID values to allocate for Entra ID users and groups. Format: low-high. Domain-specific.When you change this value, run sudo aad-tool cache-clear --full to clear stale cached ID mappings, then restart himmelblaud.Example: idmap_range = 10000000-10999999
subid_range
string
default:"2100000000-4200000000"
The range of subordinate UIDs and GIDs (subuid/subgid) allocated for container support (Podman, rootless containers, and similar tools).Himmelblau automatically adds entries to /etc/subuid and /etc/subgid for each user at login. Each user receives a 65536-ID slice from this range, allocated deterministically based on a hash of their username.Example: subid_range = 2100000000-4200000000
cn_name_mapping
boolean
default:"true"
Allows users to enter the short form of their username (for example, dave) instead of the full UPN.Example: cn_name_mapping = false
name_mapping_script
string
Path to an executable script used to map custom names to UPN names. The script must accept a single argument (the mapped name) and print the corresponding UPN to stdout. If the name is not recognized, the script must return the input unchanged.This is useful in environments where direct UPN-to-CN mappings are impractical or where custom name transformations are required.Default: none.Example: name_mapping_script = /etc/himmelblau/map-names.sh
user_map_file
string
default:"/etc/himmelblau/user-map"
Path to a file that maps local user accounts to Entra ID user accounts, allowing local users to authenticate using Entra ID credentials.Each line must follow the format local_username:name@domain. Blank lines and lines beginning with # are ignored.Example file contents:
# local_username:samaccountname@domain
alice:alice@contoso.com
bob:bob.smith@example.org
Example: user_map_file = /etc/himmelblau/user-map
rfc2307_group_fallback_map
enum
When id_attr_map = rfc2307 is set, specifies the fallback method for mapping a group GID when no gidNumber attribute is found in the directory. If not set, groups without a gidNumber will not be visible to NSS.Only applicable when id_attr_map = rfc2307.Accepted values: name, uuid.Default: none.Example: rfc2307_group_fallback_map = name

Authentication

enable_hello
boolean
default:"true"
Enables or disables user enrollment in Windows Hello authentication. When disabled, users must complete MFA at every login.For OIDC providers (when oidc_issuer_url is set), Hello enrollment requires the client application to allow refresh tokens and include the offline_access scope.Example: enable_hello = false
enable_passwordless
boolean
default:"true"
Controls whether passwordless authentication (Microsoft Authenticator app approval without a password) is offered during Entra ID authentication. When enabled, Himmelblau includes the passwordless option in authentication requests. When disabled, users are prompted for a password followed by MFA.Example: enable_passwordless = false
enable_hello_totp
boolean
default:"false"
Enables local Time-based One-Time Password (TOTP) authentication in combination with Windows Hello. When enabled, users must authenticate with both their Hello PIN and a TOTP generated by a standard authenticator app.The TOTP secret is enrolled and enforced locally on the host, independent of any cloud-based MFA. Users who have not yet enrolled a TOTP secret will be prompted to do so.When Hello TOTP is enabled, Hello + TOTP is accepted for remote services (SSH and similar). Without it, remote logins bypass Hello and require cloud MFA.Example: enable_hello_totp = true
hello_pin_min_length
number
default:"6"
The minimum number of characters required for a Hello PIN. Must be between 6 and 32.Example: hello_pin_min_length = 8
hello_pin_retry_count
number
default:"3"
The number of invalid Hello PIN attempts permitted before the user must complete MFA. After successful MFA, the user is prompted to set a new PIN.Example: hello_pin_retry_count = 5
hello_pin_prompt
string
default:"Use the Linux Hello PIN for this device."
The prompt text shown when requesting the user’s Hello PIN.Example: hello_pin_prompt = Enter your device unlock PIN
allow_remote_hello
boolean
default:"false"
Allows Windows Hello PIN authentication for remote services without requiring Hello TOTP. When enabled, remote logins (SSH and similar) may use Hello PIN alone, restoring legacy behavior.
This weakens remote authentication security. Prefer enabling enable_hello_totp instead.
Example: allow_remote_hello = true
enable_sfa_fallback
boolean
default:"false"
Determines whether password-only (single-factor) authentication is permitted when MFA is unavailable.Example: enable_sfa_fallback = true
enable_experimental_mfa
boolean
default:"true"
Enables the experimental MFA flow, which permits Hello authentication. This flow may encounter failures in certain edge cases. When disabled, Himmelblau enforces the Device Authorization Grant (DAG) flow for MFA, which is more robust but does not support Hello.Example: enable_experimental_mfa = false
enable_experimental_passwordless_fido
boolean
default:"false"
Enables the experimental passwordless FIDO flow for Entra ID authentication. When enabled, Himmelblau attempts to authenticate using a FIDO2 security key without requiring a password.Example: enable_experimental_passwordless_fido = true
fido_timeout
number
default:"25"
The number of seconds to wait for the user to insert and activate their FIDO2/passkey security key.Example: fido_timeout = 60
fido_prompt
string
default:"Please insert your security key."
The message displayed to the user when FIDO/passkey authentication is initiated and they need to insert their security key.Example: fido_prompt = Please insert your security key.
fido_presence_prompt
string
default:"Please touch your security key."
The message displayed to the user when FIDO/passkey authentication requires a user-presence gesture (touching the security key).Example: fido_presence_prompt = Please touch your security key.
mfa_method
string
A preferred MFA method to use during authentication. When set, Himmelblau attempts to use this method instead of the default configured in the user’s Entra ID profile. If not set or if the specified method is unavailable, the default MFA method is used.Accepted values:
  • PhoneAppNotification — Authenticator app push notification
  • CompanionAppsNotification — MFA via Outlook app or Authenticator Lite
  • PhoneAppOTP — Authenticator app verification code
  • OneWaySMS — Text message code
  • TwoWayVoiceMobile — Phone call to mobile
  • TwoWayVoiceAlternateMobile — Phone call to alternate mobile number
  • TwoWayVoiceOffice — Phone call to office
  • ConsolidatedTelephony — Call or text message
Default: none (uses the user’s default MFA method).Example: mfa_method = TwoWayVoiceMobile

Groups and permissions

local_groups
string
A comma-separated list of local groups that every Entra ID user should be a member of.
Removing a group from this list does not remove users from that group. You must remove existing members manually.
Default: none.Example: local_groups = sudo,admin
sudo_groups
string
A comma-separated list of Entra ID group Object ID GUIDs whose members should be granted sudo access on this system. If local_sudo_group is not defined, the local group sudo is used. Domain-specific.Default: none.Example: sudo_groups = f3c9a7e4-7d5a-47e8-832f-3d2d92abcd12,5ba4ef1d-e454-4f43-ba7c-6fe6f1601915
local_sudo_group
string
default:"sudo"
The local group assigned to users who are members of any group listed in sudo_groups. Only has an effect when sudo_groups is set. Membership is removed automatically if the user leaves the specified Entra ID group.Example: local_sudo_group = wheel

Network and timeouts

connection_timeout
number
default:"30"
The timeout in seconds for connections to the authentication server.Example: connection_timeout = 5
cache_timeout
number
default:"300"
The timeout in seconds for cached authentication data.Example: cache_timeout = 10
authority_host
string
default:"login.microsoftonline.com"
The hostname used for Microsoft authentication. Change this for sovereign cloud deployments (for example, login.microsoftonline.us for Azure US Government). Domain-specific.Example: authority_host = login.microsoftonline.us
oidc_issuer_url
string
The OpenID Connect (OIDC) issuer URL used by Himmelblau to discover OIDC provider metadata and endpoints. Setting this option enables generic OIDC authentication, allowing Himmelblau to authenticate against any standards-compliant OIDC provider rather than using the built-in Entra ID defaults.When set, app_id is required and is used as the OIDC client identifier. If enable_hello = true (the default), the client application must allow refresh tokens and include the offline_access scope.The issuer URL must exactly match the issuer value advertised by the provider, including any required path components.Default: none (Himmelblau uses its native Entra ID authentication flow).Example: oidc_issuer_url = https://login.microsoftonline.com/0656e57d-a8fc-4aa4-8366-8045787115ca/v2.0

Security

hsm_type
enum
default:"tpm_bound_soft_if_possible"
Specifies how Himmelblau handles secure key storage.Accepted values:
  • tpm_bound_soft_if_possible — uses a software-based HSM that encrypts key material locally, but binds the parent AuthCode to the TPM if available (recommended default)
  • tpm — uses a hardware TPM exclusively for storing and binding cryptographic keys
  • tpm_if_possible — attempts to use a hardware TPM if available; falls back to software HSM otherwise (will not fall back if the TPM has previously been used for key storage)
The old soft value has been deprecated. Environments enrolled with soft are automatically migrated to tpm_bound_soft_if_possible.
Run sudo aad-tool tpm to confirm whether Himmelblau is using the hardware TPM.Example: hsm_type = tpm
hsm_pin_path
string
default:"/var/lib/himmelblaud/hsm-pin"
The filesystem path where the HSM PIN is stored. This PIN protects sensitive cryptographic operations. Can also be set via the HIMMELBLAU_HSM_PIN_PATH environment variable.Example: hsm_pin_path = /etc/himmelblau/hsm-pin
tpm_tcti_name
string
default:"device:/dev/tpmrm0"
The TCTI (Trusted Computing Technology Interface) string used when communicating with a TPM. Only relevant when hsm_type is tpm or tpm_if_possible.device:/dev/tpmrm0 uses the kernel TPM resource manager device, which is the recommended default for most Linux systems.Example: tpm_tcti_name = device:/dev/tpm0
selinux
boolean
default:"true"
Whether SELinux security labels are applied to users’ home directories.Example: selinux = false

Logging and debug

debug
boolean
default:"false"
Enables debug-level logging. When set to true, debug messages are written to the system journal.Example: debug = true

Paths

db_path
string
default:"/var/cache/himmelblaud/himmelblau.cache.db"
The filesystem path to the cache database, which stores cached authentication data and device state.Example: db_path = /var/cache/himmelblau/himmelblau.cache.db
socket_path
string
default:"/var/run/himmelblaud/socket"
The path to the Unix socket used for communication between the PAM/NSS modules and the Himmelblau daemon.Example: socket_path = /tmp/himmelblaud.sock
task_socket_path
string
default:"/var/run/himmelblaud/task_sock"
The path to the Unix socket used for communication with the tasks daemon.Example: task_socket_path = /tmp/task.sock
broker_socket_path
string
default:"/var/run/himmelblaud/broker_sock"
The path to the Unix socket used for communication with the broker DBus service.Example: broker_socket_path = /tmp/broker.sock

Advanced

apply_policy
boolean
default:"true"
Enables the application and enforcement of Intune device compliance policies during non-OIDC authentication. When enabled (the default), non-compliant devices may be denied authentication according to configured policies. This setting does not affect OIDC-based authentication flows.Example: apply_policy = false
logon_script
string
Path to a script that executes every time a user logs on. The script receives two environment variables:
  • USERNAME — the authenticated user’s name
  • ACCESS_TOKEN — an MS Graph access token (empty during offline logon)
The script’s exit code controls authentication:
  • 0 — success
  • 1 — soft failure (authentication proceeds)
  • 2 — hard failure (authentication is denied)
Use logon_token_scopes to specify the scopes requested for ACCESS_TOKEN.Default: none.Example: logon_script = /etc/himmelblau/logon.sh
logon_token_app_id
string
An alternate Entra ID application (client) ID used exclusively for acquiring ACCESS_TOKEN values during logon script execution. If not set, app_id is used instead.This allows a separate application registration with the specific API permissions required by logon scripts.In the Azure Portal for this application, ensure the redirect URI https://login.microsoftonline.com/common/oauth2/nativeclient is enabled under Mobile and desktop applications. Domain-specific.Default: none.Example: logon_token_app_id = 544e695f-5d78-442e-b14e-e114e95e640c
logon_token_scopes
string
A comma-separated list of OAuth scopes requested for ACCESS_TOKEN during logon. These scopes must correspond to the API permissions assigned to the Entra ID application specified by app_id.Default: none.Example: logon_token_scopes = user.read,mail.read
entra_id_password_prompt
string
The prompt text shown when requesting the user’s Entra ID password.Example: entra_id_password_prompt = Enter your Microsoft 365 password
password_only_remote_services_deny_list
string
A comma-separated list of PAM service names that always require MFA, regardless of the allow_console_password_only setting. These are typically remote access services where password-only authentication must never be permitted.The PAM service name is the name passed by the application when calling pam_start() (for example, sshd, login, gdm-password). Entries are matched as substrings, so ssh matches ssh, sshd, openssh, and so on.Example: password_only_remote_services_deny_list = ssh,telnet,vnc,xrdp
allow_console_password_only
boolean
default:"true"
Enables password-only (single-factor) authentication for local console logins (TTY, GDM, SDDM, LightDM). When enabled, Himmelblau attempts to authenticate using only the user’s password for local sessions. If Entra ID requires MFA via Conditional Access, the user is prompted for MFA automatically.This setting does not affect remote authentication (SSH and similar), which always requires MFA unless the user has Hello + TOTP configured or allow_remote_hello is enabled.Remote connections are detected using:
  • PAM_RHOST — if the remote host is set to a non-localhost value
  • PAM_SERVICE — if the service name matches an entry in password_only_remote_services_deny_list
  • PAM_TTY — if the terminal name contains ssh (fallback)
Requires the device to be domain-joined. Set to false to require MFA for all logins including local console.Example: allow_console_password_only = false
use_etc_skel
boolean
default:"false"
When set to true, Himmelblau copies the contents of /etc/skel into newly created user home directories.Example: use_etc_skel = true

Build docs developers (and LLMs) love

Get started for freeTalk to us