个人工具
登录
查看“UbuntuHelp:CommonAccessCard”的源代码 - Ubuntu中文
UbuntuHelp
讨论
查看源代码
历史
搜索
导航
首页
最近更改
随机页面
页面分类
帮助
编辑
编辑指南
沙盒
新闻动态
字词处理
工具
链入页面
相关更改
特殊页面
页面信息
查看“UbuntuHelp:CommonAccessCard”的源代码
来自Ubuntu中文
←
UbuntuHelp:CommonAccessCard
跳转至:
导航
,
搜索
因为以下原因,你没有权限编辑本页:
您所请求的操作仅限于该用户组的用户使用:
用户
您可以查看与复制此页面的源代码。
{{From|https://help.ubuntu.com/community/CommonAccessCard}} {{Languages|UbuntuHelp:CommonAccessCard}} The Department of Defence DoD issues Common Access Cards (CAC) which are smart cards setup in a particular way. You can use these cards for Public Key Infrastructure (PKI) Authentication and signing/encrypting/verifying/decrypting email. == Public Key Infrastructure (PKI) Authentication == Get a `pcscd`/ccid compatible smart card reader. Verified readers are * SCM Micro SCR331 ** http://www.cdw.com/shop/products/default.aspx?EDC=419432 ** http://computers.pricegrabber.com/flash-memory-readers-accs/m/38231912/search=SCR331 ** you must flash the reader to the latest firmware - [http://www.txsystems.com/scm.html] *** unless someone knows another way, this must be done from a windows machine === Install the Software === <pre><nowiki> sudo apt-get install pcscd pcsc-tools libccid libpcsclite-dev </nowiki></pre> NOTE: libpcsclite-dev is only needed for Coolkey compililation since it's currently not a debian package. For Ubuntu Feisty recommend the following or you may get dependency errors when compiling Coolkey <pre><nowiki> sudo apt-get install libusb-0.1-4 libpcsclite1 libpcsclite-dev pcscd pcsc-tools build-essential autoconf xlibs-dev libccid </nowiki></pre> At this point you should be able to verify that your cac card is working by running `pcsc_scan`. It should output something like this. <pre><nowiki> PC/SC device scanner V 1.4.8 (c) 2001-2006, Ludovic Rousseau <ludovic.rousseau@free.fr> Compiled with PC/SC lite version: 1.3.2 Scanning present readers 0: SCM SCR 331 (21120725209424) 00 00 Sat Sep 22 12:28:23 2007 Reader 0: SCM SCR 331 (21120725209424) 00 00 Card state: Card inserted, ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 + TS = 3B --> Direct Convention + T0 = 6B, Y(1): 0110, K: 11 (historical bytes) TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 + Historical bytes: 80 65 B0 83 01 04 74 83 00 90 00 [[category:Category]] indicator byte: 80 (compact TLV data object) Tag: 6, len: 5 (pre-issuing data) Data: B0 83 01 04 74 Tag: 8, len: 3 (status indicator) LCS (life card cycle): 00 (No information given) SW: 9000 (Normal processing.) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 Gemplus GXP3 64V2N U.S. Department of Defense Common Access Card (DoD CAC) </nowiki></pre> Download and extract the [http://directory.fedoraproject.org/wiki/CoolKey#Download_the_latest_version latest stable version of CoolKey]. (verified with 1.1.0) Once you've extracted the files to a folder open up a terminal and `cd` to that directory and run the following commands. NOTE: Coolkey is in the repository for Gutsy - [http://packages.ubuntu.com/gutsy/admin/coolkey] <pre><nowiki> sudo mkdir /usr/cac ./configure --prefix=/usr/cac make sudo make install </nowiki></pre> At this point your hardware and drivers are setup. === Configure Firefox === To setup Firefox to authenticate with sites via SSL/PKI, you must: * download the DoD Certificates so that you can verify the server, and * setup firefox to read your client certificates from your CAC card. ==== DoD Certificates ==== The DoD has created a hierarchy of certificates. The top level certificate signs the intermediate certificate and the intermediate certificate signs the site's certificate in most cases. If you import and trust the top most certificate, it saves you from having to install and trust a significantly higher number of certificates. I believe the hierarchy looks something like this * ECA Root CA - See http://iase.disa.mil/pki/eca/ * DoD Root CA ** DoD CLASS 3 Root CA *** DoD CLASS 3 CA-X (1- ** DoD Root CA 2 I don't know what the classes represent. This hierarchy is probably not correct. The easiest way to install fairly high level certificates is to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install. ===== Advanced Install ===== You may also download the certificates and install each one using the following procedure. # ''Preferences'' Menu # ''Advanced'' Section # ''Encryption'' Tab # ''View Certificates'' Button # ''Authorities'' Tab # ''Import'' Button Places to download the certificates are: * https://crl.chamb.disa.mil/ * https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account) ==== Client Certificate Setup ==== # Insert CAC into reader - the green light should flash. # Add `CAC Module` to Firefox as a Security Device ## ''Preferences'' Menu ## ''Advanced'' Section ## ''Encryption'' Tab ## ''Security Devices'' Button ## ''Load'' Button ## Enter `CAC Module` as the module name, and browse to `/usr/cac/lib/pkcs11/libcoolkeypk11.so` for the module filename. === Testing === You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say ''Your PKI Certificate has been detected.'' === Machine and Screensaver login with CAC === With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. First you need some libraries... <pre><nowiki> sudo apt-get install libssl-dev libpam0g-dev </nowiki></pre> Then get the latest version of pam_pkcs11 from [http://www.opensc-project.org/files/pam_pkcs11] Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded [http://www.opensc-project.org/files/pam_pkcs11/pam_pkcs11-0.6.0.tar.gz pam_pkcs11-0.6.0.tar.gz] into /tmp <pre><nowiki> cd /tmp tar -zxvf pam_pkcs11-0.6.0.tar.gz cd pam_pkcs11-0.6.0 </nowiki></pre> then build pam_pkcs <pre><nowiki> ./configure --prefix=/usr --exec-prefix=/usr make sudo make install ln -s /usr/lib/security/pam_pkcs11.so /lib/security/pam_pkcs11.so </nowiki></pre> you should end up with files in the following directories /usr/lib/pam_pkcs11 and /usr/share/pam_pkcs11 According to various docs, make install should create a directory structure at /etc/pam_pkcs11 but it doesn't seem to, so create the following <pre><nowiki> sudo mkdir /etc/pam_pkcs11 sudo mkdir /etc/pam_pkcs11/crls sudo mkdir /etc/pam_pkcs11/cacerts sudo cp /usr/share/pam_pkcs11/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf sudo touch /etc/pam_pkcs11/subject_mapping </nowiki></pre> then edit /etc/pam_pkcs11/pam_pkcs11.conf At roughly line 27 change the line that reads <pre><nowiki> use_pkcs11_module = opensc; </nowiki></pre> to be <pre><nowiki> use_pkcs11_module = coolkey; </nowiki></pre> at around line 72 or so add the following <pre><nowiki> # Coolkey Support pkcs11_module coolkey { module = /usr/cac/lib/pkcs11/libcoolkeypk11.so description = "Coolkey"; slot_num = 0; support_threads = false; ca_dir = /etc/pam_pkcs11/cacerts; crl_dir = /etc/pam_pkcs11/crls; # cert_policy = ca, crl_offline,signature; cert_policy = none; } </nowiki></pre> The example above does not do any checking to see if the CAC card is still valid or is expired. Change cert_policy as appropriate to do validity checking. You'll also need to download and install the certificate authority certs into /etc/pam_pkcs11/cacerts and the certificate revocation lists into /etc/pam_pkcs11/crls Next scroll down until you see the line <pre><nowiki> use_mappers = digest, cn, pwent, uid, mail, subject, null; </nowiki></pre> and change it to <pre><nowiki> use_mappers = subject; </nowiki></pre> then save the file. At some point we'll figure out how to use the LDAP or other mappings - but the above will get you working for now. Next run the following command <pre><nowiki> pkcs11_inspect debug </nowiki></pre> and copy the line directly below "Printing data for mapper subject:" into /etc/pam_pkcs11/subject_mapping and modify it so you have something like this <pre><nowiki> /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=your_cac_username -> local_username </nowiki></pre> Ok, we're almost done. Now edit /etc/pam.d/gdm and add the line "auth sufficient pam_pkcs11.so" to the top of the list so you have something like this <pre><nowiki> #%PAM-1.0 auth sufficient pam_pkcs11.so auth requisite pam_nologin.so auth required pam_env.so @include common-auth @include common-account session required pam_limits.so @include common-session @include common-password </nowiki></pre> Do the same for /etc/pam.d/gnome-screensaver <pre><nowiki> auth sufficient pam_pkcs11.so @include common-auth </nowiki></pre> If you're feeling really adventurous you can add the line to the top of /etc/pam.d/common-auth and Ubuntu will try to use CAC authentication for everything including ssh, su, sudo, etc. Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. One thing to note. If you are using a Windows virtual machine under VMware Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable. == References == Big thanks to [http://symbolik.wordpress.com/about/ symbolik] and his aricle [http://symbolik.wordpress.com/2007/02/25/using-dod-cac-and-smartcard-readers-on-linux/ Using DoD CAC and smartcard Readers on Linux] === Relevant Discussion Threads === * [http://ubuntuforums.org/showthread.php?t=457084] * [http://ubuntuforums.org/showthread.php?t=294200] * [http://ubuntuforums.org/showthread.php?t=454234] [[category:UbuntuHelp]]
该页面使用的模板:
模板:From
(
查看源代码
)
模板:Languages
(
查看源代码
)(受保护)
模板:Languages/Lang
(
查看源代码
)(受保护)
返回至
UbuntuHelp:CommonAccessCard
。