“UbuntuHelp:CommonAccessCard”的版本间的差异
来自Ubuntu中文
(→DoD Certificates: alt location) |
小 |
||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/CommonAccessCard}} | {{From|https://help.ubuntu.com/community/CommonAccessCard}} | ||
{{Languages|UbuntuHelp:CommonAccessCard}} | {{Languages|UbuntuHelp:CommonAccessCard}} | ||
− | The Department of Defense (DoD) issues Common Access Cards (CACs) which are smart cards set up in a particular way. You can use these cards for Public Key Infrastructure (PKI) Authentication and signing/encrypting/verifying/decrypting email. | + | The Department of Defense (DoD) issues Common Access Cards (CACs) which are smart cards set up in a particular way. You can use these cards for Public Key Infrastructure (PKI) Authentication and signing/encrypting/verifying/decrypting email and websites. |
== Public Key Infrastructure (PKI) Authentication == | == Public Key Infrastructure (PKI) Authentication == | ||
Get a `pcscd`/ccid compatible smart card reader. Verified readers are | Get a `pcscd`/ccid compatible smart card reader. Verified readers are | ||
第10行: | 第10行: | ||
* you must flash the reader to the latest firmware - [http://www.txsystems.com/scm.html] | * you must flash the reader to the latest firmware - [http://www.txsystems.com/scm.html] | ||
* unless someone knows another way, this must be done from a windows machine | * unless someone knows another way, this must be done from a windows machine | ||
− | === | + | === December 2008 Update: coolkey is now part of Ubuntu === |
+ | Coolkey is now part of Ubuntu (as of Gutsy) so you no longer need to compile coolkey. The instructions below were updated. | ||
+ | === ActivCard USB Reader v2.0 === | ||
ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at [http://symbolik.wordpress.com/2007/02/26/scm-scr-331-usb-smartcard-reader-firmware-upgrade/]. The rest of this guide was then followed without issue. | ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at [http://symbolik.wordpress.com/2007/02/26/scm-scr-331-usb-smartcard-reader-firmware-upgrade/]. The rest of this guide was then followed without issue. | ||
=== Install the Software === | === Install the Software === | ||
<pre><nowiki> | <pre><nowiki> | ||
− | sudo apt-get install pcscd pcsc-tools | + | sudo apt-get install coolkey pcscd pcsc-tools |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
</nowiki></pre> | </nowiki></pre> | ||
At this point you should be able to verify that your cac is working by running `pcsc_scan`. It should output something like this. | At this point you should be able to verify that your cac is working by running `pcsc_scan`. It should output something like this. | ||
第52行: | 第49行: | ||
U.S. Department of Defense Common Access Card (DoD CAC) | U.S. Department of Defense Common Access Card (DoD CAC) | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | '''If you see this:''' | |
− | + | ||
<pre><nowiki> | <pre><nowiki> | ||
− | + | SCardListReader: Cannot find a smart card reader. (0x8010002E) | |
− | . | + | Waiting for the first reader... |
− | + | ||
− | + | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | '''... then''' you probably did not update your firmware. Read the instructions at the top of this article to see how to update your firmware. | |
=== Configure Firefox === | === Configure Firefox === | ||
To setup Firefox to authenticate with sites via SSL/PKI, you must: | To setup Firefox to authenticate with sites via SSL/PKI, you must: | ||
第73行: | 第67行: | ||
* DoD Root CA 2 | * DoD Root CA 2 | ||
I don't know what the classes represent. This hierarchy is probably not correct. | I don't know what the classes represent. This hierarchy is probably not correct. | ||
− | The easiest way to install fairly high level certificates is to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install. | + | The easiest way to install fairly high level certificates is to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install. |
===== Advanced Install ===== | ===== Advanced Install ===== | ||
You may also download the certificates and install each one using the following procedure. | You may also download the certificates and install each one using the following procedure. | ||
第86行: | 第80行: | ||
* https://crl.chamb.disa.mil/ | * https://crl.chamb.disa.mil/ | ||
* https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account) | * https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account) | ||
− | |||
==== Client Certificate Setup ==== | ==== Client Certificate Setup ==== | ||
<ol><li>Insert CAC into reader - the green light should flash. | <ol><li>Insert CAC into reader - the green light should flash. | ||
第95行: | 第88行: | ||
</li><li>''Security Devices'' Button | </li><li>''Security Devices'' Button | ||
</li><li>''Load'' Button | </li><li>''Load'' Button | ||
− | </li><li>Enter `CAC Module` as the module name, and browse to `/usr | + | </li><li>Enter `CAC Module` as the module name, and browse to `/usr/lib/pkcs11/libcoolkeypk11.so` for the module filename.</li></ol> |
− | |||
− | |||
=== Testing === | === Testing === | ||
You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say ''Your PKI Certificate has been detected.'' | You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say ''Your PKI Certificate has been detected.'' | ||
+ | === Configure Evolution === | ||
+ | The Evolution email client does not currently have a means to configure the security device (CAC reader) through the GUI as does Firefox or Thunderbird. | ||
+ | However, there is a fairly simple ([http://markmail.org/message/f5selpm2egphzaar but obscure]) workaround that can be executed from the command line. Mozilla's certificate database can be imported into Evolution by copying three files within a terminal window: | ||
+ | <pre><nowiki> | ||
+ | cd ~/.mozilla/firefox/*.default | ||
+ | cp cert8.db key3.db secmod.db ~/.evolution/ | ||
+ | </nowiki></pre> | ||
+ | This appears to import in all the DoD certificates and security devices (CAC reader) previously configured in Firefox as outlined in the above instructions. Look under the 'U.S. Government' heading to confirm ('Edit/Preferences.../Certificates/Authorities tab'). You'll need to select each individual certificate (ie "DOD CA-11"), click the 'Edit' button, and then select the boxes for both trust to ID sites, and trust to ID email users. Do this for all the certificates under the U.S. Government heading. This step is tedious, but you'll only need to do it once. | ||
+ | Next, select the appropriate certificate for signing and encrypting email. From 'Edit/Preferences', click on 'Mail Accounts', select your previously configured AKO/DKO account (either POP or IMAP), click the 'Edit' button, and then the 'Security' tab. Under the 'Secure MIME (S/MIME)' heading, select both the signing and encryption certificates, and any of the option check boxes desired. | ||
+ | When composing a new message, pull down the 'Security' menu and select 'S/MIME Sign' and/or 'S/MIME Encrypt' as appropriate. | ||
+ | Please note the author of the above section has not yet fully tested this functionality, but initial testing was successful. Nevertheless, implement with caution. | ||
=== Machine and Screensaver login with CAC === | === Machine and Screensaver login with CAC === | ||
With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. | With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. | ||
First you need some libraries... | First you need some libraries... | ||
<pre><nowiki> | <pre><nowiki> | ||
− | sudo apt-get install libssl-dev libpam0g-dev | + | sudo apt-get install libssl-dev libpam0g-dev pkg-config |
</nowiki></pre> | </nowiki></pre> | ||
Then get the latest version of pam_pkcs11 from [http://www.opensc-project.org/files/pam_pkcs11] | Then get the latest version of pam_pkcs11 from [http://www.opensc-project.org/files/pam_pkcs11] | ||
第119行: | 第121行: | ||
make | make | ||
sudo make install | sudo make install | ||
− | ln -s /usr/lib/security/pam_pkcs11.so /lib/security/pam_pkcs11.so | + | sudo ln -s /usr/lib/security/pam_pkcs11.so /lib/security/pam_pkcs11.so |
</nowiki></pre> | </nowiki></pre> | ||
you should end up with files in the following directories /usr/lib/pam_pkcs11 and /usr/share/pam_pkcs11 | you should end up with files in the following directories /usr/lib/pam_pkcs11 and /usr/share/pam_pkcs11 | ||
第133行: | 第135行: | ||
<pre><nowiki> | <pre><nowiki> | ||
wget --no-check-certificate https://airborne.nrl.navy.mil/PKI/AllDoDPKI.tar.gz | wget --no-check-certificate https://airborne.nrl.navy.mil/PKI/AllDoDPKI.tar.gz | ||
− | sudo | + | sudo mv AllDoDPKI.tar.gz /etc/pam_pkcs11/cacerts/ |
+ | cd /etc/pam_pkcs11/cacerts/ | ||
+ | sudo tar -zxvf AllDoDPKI.tar.gz | ||
rm AllDoDPKI.tar.gz | rm AllDoDPKI.tar.gz | ||
</nowiki></pre> | </nowiki></pre> | ||
第158行: | 第162行: | ||
# Coolkey Support | # Coolkey Support | ||
pkcs11_module coolkey { | pkcs11_module coolkey { | ||
− | module = /usr | + | module = /usr/lib/pkcs11/libcoolkeypk11.so |
description = "Coolkey"; | description = "Coolkey"; | ||
slot_num = 0; | slot_num = 0; | ||
第238行: | 第242行: | ||
</nowiki></pre> | </nowiki></pre> | ||
Just save this script, make it executable, and add it to System->Preferences->Sessions. Keep in mind that this script will unlock for the insertion of '''any''' smart card. If you do not desire the unlock behavior, simply comment line 17: "gnome-screensaver-command -d". | Just save this script, make it executable, and add it to System->Preferences->Sessions. Keep in mind that this script will unlock for the insertion of '''any''' smart card. If you do not desire the unlock behavior, simply comment line 17: "gnome-screensaver-command -d". | ||
+ | '''WARNING!''': noting the observation that inserting '''ANY''' card into your card reader while using this script deactivates the Screensaver. This includes student I.D.'s, Driver's License's, credit card's, ECT, and is not limited to only Smart Cards. I would advise to comment out line 17: "gnome-screensaver-command -d" if you have any need for security. | ||
== References == | == References == | ||
Big thanks to [http://symbolik.wordpress.com/about/ symbolik] and his article [http://symbolik.wordpress.com/2007/02/25/using-dod-cac-and-smartcard-readers-on-linux/ Using DoD CAC and smartcard Readers on Linux] | Big thanks to [http://symbolik.wordpress.com/about/ symbolik] and his article [http://symbolik.wordpress.com/2007/02/25/using-dod-cac-and-smartcard-readers-on-linux/ Using DoD CAC and smartcard Readers on Linux] |
2008年12月16日 (二) 18:09的版本
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
The Department of Defense (DoD) issues Common Access Cards (CACs) which are smart cards set up in a particular way. You can use these cards for Public Key Infrastructure (PKI) Authentication and signing/encrypting/verifying/decrypting email and websites.
目录
- 1 Public Key Infrastructure (PKI) Authentication
- 2 References
Public Key Infrastructure (PKI) Authentication
Get a `pcscd`/ccid compatible smart card reader. Verified readers are
- SCM Micro SCR331
- ActivCard USB Reader 2.0 (version information is found on the underside of the device)
- http://www.cdw.com/shop/products/default.aspx?EDC=419432
- http://computers.pricegrabber.com/flash-memory-readers-accs/m/38231912/search=SCR331
- you must flash the reader to the latest firmware - [1]
- unless someone knows another way, this must be done from a windows machine
December 2008 Update: coolkey is now part of Ubuntu
Coolkey is now part of Ubuntu (as of Gutsy) so you no longer need to compile coolkey. The instructions below were updated.
ActivCard USB Reader v2.0
ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at [2]. The rest of this guide was then followed without issue.
Install the Software
sudo apt-get install coolkey pcscd pcsc-tools
At this point you should be able to verify that your cac is working by running `pcsc_scan`. It should output something like this.
PC/SC device scanner V 1.4.8 (c) 2001-2006, Ludovic Rousseau <ludovic.rousseau@free.fr> Compiled with PC/SC lite version: 1.3.2 Scanning present readers 0: SCM SCR 331 (21120725209424) 00 00 Sat Sep 22 12:28:23 2007 Reader 0: SCM SCR 331 (21120725209424) 00 00 Card state: Card inserted, ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 + TS = 3B --> Direct Convention + T0 = 6B, Y(1): 0110, K: 11 (historical bytes) TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 + Historical bytes: 80 65 B0 83 01 04 74 83 00 90 00 Category indicator byte: 80 (compact TLV data object) Tag: 6, len: 5 (pre-issuing data) Data: B0 83 01 04 74 Tag: 8, len: 3 (status indicator) LCS (life card cycle): 00 (No information given) SW: 9000 (Normal processing.) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 Gemplus GXP3 64V2N U.S. Department of Defense Common Access Card (DoD CAC)
If you see this:
SCardListReader: Cannot find a smart card reader. (0x8010002E) Waiting for the first reader...
... then you probably did not update your firmware. Read the instructions at the top of this article to see how to update your firmware.
Configure Firefox
To setup Firefox to authenticate with sites via SSL/PKI, you must:
- download the DoD Certificates so that you can verify the server, and
- setup firefox to read your client certificates from your CAC card.
DoD Certificates
The DoD has created a hierarchy of certificates. The top level certificate signs the intermediate certificate and the intermediate certificate signs the site's certificate in most cases. If you import and trust the top most certificate, it saves you from having to install and trust a significantly higher number of certificates. I believe the hierarchy looks something like this
- ECA Root CA - See http://iase.disa.mil/pki/eca/
- DoD Root CA
- DoD CLASS 3 Root CA
- DoD CLASS 3 CA-X (1-
- DoD Root CA 2
I don't know what the classes represent. This hierarchy is probably not correct. The easiest way to install fairly high level certificates is to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install.
Advanced Install
You may also download the certificates and install each one using the following procedure.
- Preferences Menu
- Advanced Section
- Encryption Tab
- View Certificates Button
- Authorities Tab
- Import Button
Places to download the certificates are:
- https://crl.chamb.disa.mil/
- https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account)
Client Certificate Setup
- Insert CAC into reader - the green light should flash.
- Add `CAC Module` to Firefox as a Security Device
- Preferences Menu
- Advanced Section
- Encryption Tab
- Security Devices Button
- Load Button
- Enter `CAC Module` as the module name, and browse to `/usr/lib/pkcs11/libcoolkeypk11.so` for the module filename.
Testing
You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say Your PKI Certificate has been detected.
Configure Evolution
The Evolution email client does not currently have a means to configure the security device (CAC reader) through the GUI as does Firefox or Thunderbird. However, there is a fairly simple (but obscure) workaround that can be executed from the command line. Mozilla's certificate database can be imported into Evolution by copying three files within a terminal window:
cd ~/.mozilla/firefox/*.default cp cert8.db key3.db secmod.db ~/.evolution/
This appears to import in all the DoD certificates and security devices (CAC reader) previously configured in Firefox as outlined in the above instructions. Look under the 'U.S. Government' heading to confirm ('Edit/Preferences.../Certificates/Authorities tab'). You'll need to select each individual certificate (ie "DOD CA-11"), click the 'Edit' button, and then select the boxes for both trust to ID sites, and trust to ID email users. Do this for all the certificates under the U.S. Government heading. This step is tedious, but you'll only need to do it once. Next, select the appropriate certificate for signing and encrypting email. From 'Edit/Preferences', click on 'Mail Accounts', select your previously configured AKO/DKO account (either POP or IMAP), click the 'Edit' button, and then the 'Security' tab. Under the 'Secure MIME (S/MIME)' heading, select both the signing and encryption certificates, and any of the option check boxes desired. When composing a new message, pull down the 'Security' menu and select 'S/MIME Sign' and/or 'S/MIME Encrypt' as appropriate. Please note the author of the above section has not yet fully tested this functionality, but initial testing was successful. Nevertheless, implement with caution.
Machine and Screensaver login with CAC
With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. First you need some libraries...
sudo apt-get install libssl-dev libpam0g-dev pkg-config
Then get the latest version of pam_pkcs11 from [3] Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded pam_pkcs11-0.6.0.tar.gz into /tmp
cd /tmp tar -zxvf pam_pkcs11-0.6.0.tar.gz cd pam_pkcs11-0.6.0
then build pam_pkcs
./configure --prefix=/usr --exec-prefix=/usr make sudo make install sudo ln -s /usr/lib/security/pam_pkcs11.so /lib/security/pam_pkcs11.so
you should end up with files in the following directories /usr/lib/pam_pkcs11 and /usr/share/pam_pkcs11 According to various docs, make install should create a directory structure at /etc/pam_pkcs11 but it doesn't seem to, so create the following
sudo mkdir /etc/pam_pkcs11 sudo mkdir /etc/pam_pkcs11/crls sudo mkdir /etc/pam_pkcs11/cacerts sudo cp /usr/share/pam_pkcs11/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf sudo touch /etc/pam_pkcs11/subject_mapping
This will take care of the CAC Certs needed by your system:
wget --no-check-certificate https://airborne.nrl.navy.mil/PKI/AllDoDPKI.tar.gz sudo mv AllDoDPKI.tar.gz /etc/pam_pkcs11/cacerts/ cd /etc/pam_pkcs11/cacerts/ sudo tar -zxvf AllDoDPKI.tar.gz rm AllDoDPKI.tar.gz
This will take care of the Certificate Revocation Lists needed by your system:
wget --no-check-certificate https://crl.chamb.disa.mil/getcrlzip?ALL+CRL+ZIP sudo unzip getcrlzip\?ALL+CRL+ZIP -d /etc/pam_pkcs11/crls rm getcrlzip\?ALL+CRL+ZIP
Next, we will edit pam_pkcs11.conf to work properly with our system
sudo gedit /etc/pam_pkcs11/pam_pkcs11.conf
At roughly line 27 change the line that reads
use_pkcs11_module = opensc;
to be
use_pkcs11_module = coolkey;
at around line 72 or so add the following
# Coolkey Support pkcs11_module coolkey { module = /usr/lib/pkcs11/libcoolkeypk11.so description = "Coolkey"; slot_num = 0; support_threads = false; ca_dir = /etc/pam_pkcs11/cacerts; crl_dir = /etc/pam_pkcs11/crls; cert_policy = ca; }
Next scroll down until you see the line
use_mappers = digest, cn, pwent, uid, mail, subject, null;
and change it to
use_mappers = subject;
then save the file. At some point we'll figure out how to use the LDAP or other mappings - but the above will get you working for now. Next run the following command
pkcs11_inspect debug
and copy the line directly below "Printing data for mapper subject:", then run
sudo gedit /etc/pam_pkcs11/subject_mapping
and modify it so you have something like this
/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=your_cac_username -> local_username
Ok, we're almost done. Now edit /etc/pam.d/gdm and add the line "auth sufficient pam_pkcs11.so" to the top of the list so you have something like this
#%PAM-1.0 auth sufficient pam_pkcs11.so auth requisite pam_nologin.so auth required pam_env.so @include common-auth @include common-account session required pam_limits.so @include common-session @include common-password
Do the same for /etc/pam.d/gnome-screensaver
auth sufficient pam_pkcs11.so @include common-auth
If you're feeling really adventurous you can add the line to the top of /etc/pam.d/common-auth and Ubuntu will try to use CAC authentication for everything including ssh, su, sudo, etc. Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. One thing to note. If you are using a Windows virtual machine under VMware Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable.
Lock Gnome Screensaver on Card Removal
The package pcsc-tools includes the tool pcsc_scan. This command line application will print the insertion and removal of a Smart Card to the stdout. Using this information, a script can be written to recognize this change. The following script requires the package inotify-tools.
#!bash #!/bin/bash if [ $(pidof pcsc_scan) ]; then echo pcsc_scan is running else pcsc_scan -n > ~/cardscan.txt & fi while inotifywait ~/cardscan.txt do tail -n 3 ~/cardscan.txt | grep inserted if [ $? == 0 ]; then echo unlocked gnome-screensaver-command -d else tail -n 3 ~/cardscan.txt | grep removed if [ $? == 0 ]; then gnome-screensaver-command --lock -a fi fi done
Just save this script, make it executable, and add it to System->Preferences->Sessions. Keep in mind that this script will unlock for the insertion of any smart card. If you do not desire the unlock behavior, simply comment line 17: "gnome-screensaver-command -d". WARNING!: noting the observation that inserting ANY card into your card reader while using this script deactivates the Screensaver. This includes student I.D.'s, Driver's License's, credit card's, ECT, and is not limited to only Smart Cards. I would advise to comment out line 17: "gnome-screensaver-command -d" if you have any need for security.
References
Big thanks to symbolik and his article Using DoD CAC and smartcard Readers on Linux Department of Defense PKI Management [4] Naval Research Laboratory DoD PKI Notes [5] and accompanying PDF [6]
Relevant Discussion Threads