auth-test
Test authentication for a user through the Himmelblau PAM channel. This verifies that himmelblaud is correctly processing and validating authentications. It does not test that your PAM configuration files are correct.
| Flag | Short | Description |
|---|
--name | -D | (Required) The account to authenticate, as a UPN (e.g. [email protected]). |
--force-reauth | | Force a full re-authentication (password, MFA, or FIDO2), bypassing the cached Hello key. Use this to manually satisfy Entra conditional access sign-in frequency requirements. |
--debug | -d | Enable verbose debug logging. |
status
Check that the himmelblaud daemon is online and able to connect to the Entra ID endpoint.
| Flag | Short | Description |
|---|
--debug | -d | Enable verbose debug logging. |
version
Show the version of aad-tool.
| Flag | Short | Description |
|---|
--debug | -d | Enable verbose debug logging. |
tpm
Check whether Himmelblau is using the TPM for key storage and cryptographic operations.
| Flag | Short | Description |
|---|
--debug | -d | Enable verbose debug logging. |
pam_himmelblau lines into the system PAM configuration files. Without --really, the command performs a dry run and prints what it would change without writing any files.
# Dry run — show what would change without modifying any files
sudo aad-tool configure-pam
# Apply changes to PAM configuration
sudo aad-tool configure-pam --really
# Add only the optional try_unseal auth line (for secrets unsealing at login)
sudo aad-tool configure-pam --really --try-unseal
| Flag | Description |
|---|
--really | Apply changes. Without this flag the command is a dry run. |
--try-unseal | Only add an optional try_unseal auth line to unseal secrets at login. Does not modify the standard PAM auth, account, session, or password stacks. |
--auth-file | Override the path to the PAM auth configuration file. |
--account-file | Override the path to the PAM account configuration file. |
--session-file | Override the path to the PAM session configuration file. |
--password-file | Override the path to the PAM password configuration file. |
--debug / -d | Enable verbose debug logging. |
--*-file overrides, configure-pam auto-detects the PAM files for the current distribution. Common candidates include /etc/pam.d/common-auth, /etc/pam.d/system-auth, and /etc/pam.d/password-auth.
If a pam_himmelblau line with matching options already exists in a file, configure-pam skips that file.
offline-breakglass
Activate or deactivate offline breakglass mode. When active, cached Entra ID user passwords can be used to log in when Azure Entra ID is unreachable.
# Activate breakglass mode using the TTL configured in himmelblau.conf
sudo aad-tool offline-breakglass
# Activate breakglass mode for 2 hours
sudo aad-tool offline-breakglass --ttl 2h
# Deactivate breakglass mode immediately
sudo aad-tool offline-breakglass --ttl 0
| Flag | Description |
|---|
--ttl | Override the breakglass duration for this session. Accepts a time unit suffix: m (minutes), h (hours), or d (days). Pass 0 to deactivate immediately. If omitted, uses the value from himmelblau.conf. |
--debug / -d | Enable verbose debug logging. |
Offline breakglass mode requires enabled = true under the [offline_breakglass] section in /etc/himmelblau/himmelblau.conf. If it was not enabled in advance, no password verifiers will have been cached and this command has no effect.Use this feature only for emergency access during verified outages.
