Check out authentication to Azure AD/Entra ID with a Windows Hello PIN on openSUSE Tumbleweed!
Here’s how to get started for yourself.
First, install the package in Tumbleweed:
sudo zypper in himmelblau nss-himmelblau pam-himmelblau
Next configure /etc/himmelblau/himmelblau.conf and set the parameter ‘domains’ to a comma separated list of allowed domains, then set ‘pam_allow_groups’ to a comma separated list of allowed users and groups. All other parameters in the himmelblau.conf are optional.
Configure pam:
sudo pam-config --add --himmelblau
You may need to do additional pam configuration. Check out the readme.
Disable nscd:
sudo systemctl stop nscd
sudo systemctl disable nscd
sudo systemctl mask nscd
Setup nss (just add ‘himmelblau’ to the end of passwd, group, and shadow):
# vim /etc/nsswitch.conf
passwd: compat systemd himmelblau
group: compat systemd himmelblau
shadow: compat systemd himmelblau
Finally, start Himmelblau:
sudo systemctl enable himmelblaud himmelblaud-tasks
sudo systemctl start himmelblaud himmelblaud-tasks
You’re all set! Domain enrollment happens automatically the first time someone logs in. Each time a new user logs in, they’ll be prompted to enroll a Windows Hello PIN for the device (Hello PIN auth is introduced in Himmelblau 0.3.0). Subsequently, that user will authenticate with their Hello PIN.