特殊:Badtitle/NS100:CommonAccessCard:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
第4行: | 第4行: | ||
== Public Key Infrastructure (PKI) Authentication == | == Public Key Infrastructure (PKI) Authentication == | ||
Get a `pcscd`/ccid compatible smart card reader. Verified readers are | Get a `pcscd`/ccid compatible smart card reader. Verified readers are | ||
* O2 Micro, Inc. Oz776 | |||
* SCM Micro SCR331 | * SCM Micro SCR331 | ||
* Gemplus GemPC Card (PCMCIA) | * Gemplus GemPC Card (PCMCIA) | ||
* ActivCard USB Reader 2.0 (version information is found on the underside of the device) | * ActivCard USB Reader 2.0 (version information is found on the underside of the device) | ||
* | ** you must flash the reader to the latest firmware - [[http://www.txsystems.com/scm.html]] | ||
*** unless someone knows another way, this must be done from a windows machine | |||
* you must flash the reader to the latest firmware - [http://www.txsystems.com/scm.html] | If you have trouble with your reader, review device compatibility at [[http://pcsclite.alioth.debian.org/section.html]] | ||
* unless someone knows another way, this must be done from a windows machine | |||
=== ActivCard USB Reader v2.0 === | === ActivCard USB Reader v2.0 === | ||
ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at [http://symbolik.wordpress.com/2007/02/26/scm-scr-331-usb-smartcard-reader-firmware-upgrade/]. The rest of this guide was then followed without issue. | ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at [[http://symbolik.wordpress.com/2007/02/26/scm-scr-331-usb-smartcard-reader-firmware-upgrade/]]. The rest of this guide was then followed without issue. | ||
=== Gemplus GemPC Card (PCMCIA) === | === Gemplus GemPC Card (PCMCIA) === | ||
This card reader uses the ccid driver. Since it uses a serial port connection, you must tell pcscd where it is located. Before you begin, you need to install the software as shown in the next step. Once the `apt-get` procedure is completed, come back here to configure your reader. | This card reader uses the ccid driver. Since it uses a serial port connection, you must tell pcscd where it is located. Before you begin, you need to install the software as shown in the next step. Once the `apt-get` procedure is completed, come back here to configure your reader. | ||
第42行: | 第40行: | ||
Scanning present readers | Scanning present readers | ||
0: SCM SCR 331 (21120725209424) 00 00 | 0: SCM SCR 331 (21120725209424) 00 00 | ||
Sat Sep 22 12:28:23 2007 | Sat Sep 22 12:28:23 2007 | ||
Reader 0: SCM SCR 331 (21120725209424) 00 00 | |||
Card state: Card inserted, | |||
ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 | |||
ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 | ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 | ||
+ TS = 3B --> Direct Convention | + TS = 3B --> Direct Convention | ||
+ T0 = 6B, Y(1): 0110, K: 11 (historical bytes) | + T0 = 6B, Y(1): 0110, K: 11 (historical bytes) | ||
TB(1) = 00 --> VPP is not electrically connected | |||
TC(1) = 00 --> Extra guard time: 0 | |||
+ Historical bytes: 80 65 B0 83 01 04 74 83 00 90 00 | + Historical bytes: 80 65 B0 83 01 04 74 83 00 90 00 | ||
[[category:Category]] indicator byte: 80 (compact TLV data object) | |||
Tag: 6, len: 5 (pre-issuing data) | |||
Data: B0 83 01 04 74 | |||
Tag: 8, len: 3 (status indicator) | |||
LCS (life card cycle): 00 (No information given) | |||
SW: 9000 (Normal processing.) | |||
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): | Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): | ||
3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 | 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 | ||
Gemplus GXP3 64V2N | |||
U.S. Department of Defense Common Access Card (DoD CAC) | |||
</nowiki></pre> | </nowiki></pre> | ||
'''If you see this:''' | '''If you see this:''' | ||
第77行: | 第72行: | ||
* setup firefox to read your client certificates from your CAC card. | * setup firefox to read your client certificates from your CAC card. | ||
==== DoD Certificates ==== | ==== DoD Certificates ==== | ||
The DoD has created a hierarchy of certificates. The top level certificate signs the intermediate certificate and the intermediate certificate signs the site's certificate in most cases. If you import and trust the top most certificate, it saves you from having to install and trust a significantly higher number of certificates. | The DoD has created a hierarchy of certificates. The top level certificate signs the intermediate certificate and the intermediate certificate signs the site's certificate in most cases. If you import and trust the top most certificate, it saves you from having to install and trust a significantly higher number of certificates. | ||
The easiest way to install DoD root certificates is to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install. | |||
The easiest way to install | |||
===== Advanced Install ===== | ===== Advanced Install ===== | ||
You may also download the certificates and install each one using the following procedure. | You may also download the certificates and install each one using the following procedure. | ||
# ''Preferences'' Menu | |||
# ''Advanced'' Section | |||
# ''Encryption'' Tab | |||
# ''View Certificates'' Button | |||
# ''Authorities'' Tab | |||
# ''Import'' Button | |||
Places to download the certificates are: | Places to download the certificates are: | ||
* https://crl.chamb.disa.mil/ | * https://crl.chamb.disa.mil/ | ||
* https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account) | * https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account) | ||
==== Client Certificate Setup ==== | ==== Client Certificate Setup ==== | ||
# Insert CAC into reader - the green light should flash. | |||
# Add `CAC Module` to Firefox as a Security Device | |||
## ''Preferences'' Menu | |||
## ''Advanced'' Section | |||
## ''Encryption'' Tab | |||
## ''Security Devices'' Button | |||
## ''Load'' Button | |||
## Enter `CAC Module` as the module name, and browse to `/usr/lib/pkcs11/libcoolkeypk11.so` for the module filename. | |||
=== Testing === | === Testing === | ||
You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say ''Your PKI Certificate has been detected.'' | You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say ''Your PKI Certificate has been detected.'' | ||
=== Configure Evolution === | === Configure Evolution === | ||
The Evolution email client does not currently have a means to configure the security device (CAC reader) through the GUI as does Firefox or Thunderbird. | The Evolution email client does not currently have a means to configure the security device (CAC reader) through the GUI as does Firefox or Thunderbird. | ||
However, there is a fairly simple ([http://markmail.org/message/f5selpm2egphzaar but obscure]) workaround that can be executed from the command line. Mozilla's certificate database can be imported into Evolution by copying three files within a terminal window: | However, there is a fairly simple ([[http://markmail.org/message/f5selpm2egphzaar|but obscure]]) workaround that can be executed from the command line. Mozilla's certificate database can be imported into Evolution by copying three files within a terminal window: | ||
<pre><nowiki> | <pre><nowiki> | ||
cd ~/.mozilla/firefox/*.default | cd ~/.mozilla/firefox/*.default | ||
第119行: | 第106行: | ||
Next, select the appropriate certificate for signing and encrypting email. From 'Edit/Preferences', click on 'Mail Accounts', select your previously configured AKO/DKO account (either POP or IMAP), click the 'Edit' button, and then the 'Security' tab. Under the 'Secure MIME (S/MIME)' heading, select both the signing and encryption certificates, and any of the option check boxes desired. | Next, select the appropriate certificate for signing and encrypting email. From 'Edit/Preferences', click on 'Mail Accounts', select your previously configured AKO/DKO account (either POP or IMAP), click the 'Edit' button, and then the 'Security' tab. Under the 'Secure MIME (S/MIME)' heading, select both the signing and encryption certificates, and any of the option check boxes desired. | ||
When composing a new message, pull down the 'Security' menu and select 'S/MIME Sign' and/or 'S/MIME Encrypt' as appropriate. | When composing a new message, pull down the 'Security' menu and select 'S/MIME Sign' and/or 'S/MIME Encrypt' as appropriate. | ||
Please note the [https://launchpad.net/~bob-sims author] of the above section has not yet fully tested this functionality, but initial testing was successful. Nevertheless, implement with caution. | Please note the [[https://launchpad.net/~bob-sims|author]] of the above section has not yet fully tested this functionality, but initial testing was successful. Nevertheless, implement with caution. | ||
Note: There is currently no way to authenticate to the Exchange server though Evolution with a CaC and the above instructions are only to use the CaC for signing and encrypting the messages. This has been requested in [http://bugzilla.gnome.org/show_bug.cgi?id=253574 Bug 253574] and may be implemented in version 2.23.x. The bug tracker has a patch for those wishing to recompile Evolution with untested code. | Note: There is currently no way to authenticate to the Exchange server though Evolution with a CaC and the above instructions are only to use the CaC for signing and encrypting the messages. This has been requested in [[http://bugzilla.gnome.org/show_bug.cgi?id=253574|Bug 253574]] and may be implemented in version 2.23.x. The bug tracker has a patch for those wishing to recompile Evolution with untested code. | ||
=== Machine and Screensaver login with CAC === | === Machine and Screensaver login with CAC === | ||
With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. | With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. | ||
第127行: | 第114行: | ||
sudo apt-get install libssl-dev libpam0g-dev pkg-config | sudo apt-get install libssl-dev libpam0g-dev pkg-config | ||
</nowiki></pre> | </nowiki></pre> | ||
Then get the latest version of pam_pkcs11 from [http://www.opensc-project.org/files/pam_pkcs11] | Then get the latest version of pam_pkcs11 from [[http://www.opensc-project.org/files/pam_pkcs11]] | ||
Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded [http://www.opensc-project.org/files/pam_pkcs11/pam_pkcs11-0.6.0.tar.gz pam_pkcs11-0.6.0.tar.gz] into /tmp | Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded [[http://www.opensc-project.org/files/pam_pkcs11/pam_pkcs11-0.6.0.tar.gz|pam_pkcs11-0.6.0.tar.gz]] into /tmp | ||
<pre><nowiki> | <pre><nowiki> | ||
cd /tmp | cd /tmp | ||
第178行: | 第165行: | ||
at around line 72 or so add the following | at around line 72 or so add the following | ||
<pre><nowiki> | <pre><nowiki> | ||
# Coolkey Support | |||
pkcs11_module coolkey { | |||
module = /usr/lib/pkcs11/libcoolkeypk11.so | |||
description = "Coolkey"; | |||
slot_num = 0; | |||
support_threads = false; | |||
ca_dir = /etc/pam_pkcs11/cacerts; | |||
crl_dir = /etc/pam_pkcs11/crls; | |||
cert_policy = ca; | |||
} | |||
</nowiki></pre> | </nowiki></pre> | ||
Next scroll down until you see the line | Next scroll down until you see the line | ||
第229行: | 第216行: | ||
If you're feeling really adventurous you can add the line to the top of /etc/pam.d/common-auth and Ubuntu will try to use CAC authentication for everything including ssh, su, sudo, etc. | If you're feeling really adventurous you can add the line to the top of /etc/pam.d/common-auth and Ubuntu will try to use CAC authentication for everything including ssh, su, sudo, etc. | ||
Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. | Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. | ||
One thing to note. If you are using a Windows virtual machine under | One thing to note. If you are using a Windows virtual machine under VMware Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable. | ||
=== Lock Gnome Screensaver on Card Removal === | === Lock Gnome Screensaver on Card Removal === | ||
The package ''pcsc-tools'' includes the tool ''pcsc_scan''. This command line application will print the insertion and removal of a Smart Card to the stdout. Using this information, a script can be written to recognize this change. The following script requires the package '''inotify-tools'''. | The package ''pcsc-tools'' includes the tool ''pcsc_scan''. This command line application will print the insertion and removal of a Smart Card to the stdout. Using this information, a script can be written to recognize this change. The following script requires the package '''inotify-tools'''. | ||
<pre><nowiki>#!bash | <pre><nowiki>#!bash | ||
#!/bin/bash | #!/bin/bash | ||
if [ $(pidof pcsc_scan) ]; then | if [ $(pidof pcsc_scan) ]; then | ||
echo pcsc_scan is running | |||
else | else | ||
pcsc_scan -n > ~/cardscan.txt & | |||
fi | fi | ||
while inotifywait ~/cardscan.txt | while inotifywait ~/cardscan.txt | ||
do | do | ||
tail -n 3 ~/cardscan.txt | grep "XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX" | |||
tail -n 3 ~/cardscan.txt | grep | |||
if [ $? == 0 ]; then | if [ $? == 0 ]; then | ||
echo unlocked | |||
gnome-screensaver-command -d | gnome-screensaver-command -d | ||
else | else | ||
第259行: | 第240行: | ||
done | done | ||
</nowiki></pre> | </nowiki></pre> | ||
After saving this script, you need to update line 13. Run pcsc_scan and look for the line that says "ATR: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX" on mine, it's the fourth line. The XX's will be unique to your card. Update the XX's in the script with your unique line. Make the script executable, and add it to System->Preferences->Startup Applications. This script will only unlock the screensaver if your CAC is inserted however, if you do not desire the unlock behavior, simply comment line 17: "gnome-screensaver-command -d". | |||
== References == | == References == | ||
Big thanks to [http://symbolik.wordpress.com/about/ symbolik] and his article [http://symbolik.wordpress.com/2007/02/25/using-dod-cac-and-smartcard-readers-on-linux/ Using DoD CAC and smartcard Readers on Linux] | Big thanks to [[http://symbolik.wordpress.com/about/|symbolik]] and his article [[http://symbolik.wordpress.com/2007/02/25/using-dod-cac-and-smartcard-readers-on-linux/|Using DoD CAC and smartcard Readers on Linux]] | ||
Department of Defense PKI Management [https://crl.chamb.disa.mil/] | Department of Defense PKI Management [[https://crl.chamb.disa.mil/]] | ||
Naval Research Laboratory DoD PKI Notes [https://airborne.nrl.navy.mil/PKI/] and accompanying PDF [http://www7320.nrlssc.navy.mil/pubs/2006/CommonAccessCardLinux.pdf] | Naval Research Laboratory DoD PKI Notes [[https://airborne.nrl.navy.mil/PKI/]] and accompanying PDF [[http://www7320.nrlssc.navy.mil/pubs/2006/CommonAccessCardLinux.pdf]] | ||
=== Relevant Discussion Threads === | === Relevant Discussion Threads === | ||
* [http://ubuntuforums.org/showthread.php?t=457084] | * [[http://ubuntuforums.org/showthread.php?t=457084]] | ||
* [http://ubuntuforums.org/showthread.php?t=294200] | * [[http://ubuntuforums.org/showthread.php?t=294200]] | ||
* [http://ubuntuforums.org/showthread.php?t=454234] | * [[http://ubuntuforums.org/showthread.php?t=454234]] | ||
* [http://ubuntuforums.org/showthread.php?t=1221961] | * [[http://ubuntuforums.org/showthread.php?t=1221961]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2010年5月19日 (三) 17:01的版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/CommonAccessCard }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/af | • {{#if: UbuntuHelp:CommonAccessCard|Afrikaans| [[::CommonAccessCard/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ar | • {{#if: UbuntuHelp:CommonAccessCard|العربية| [[::CommonAccessCard/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/az | • {{#if: UbuntuHelp:CommonAccessCard|azərbaycanca| [[::CommonAccessCard/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/bcc | • {{#if: UbuntuHelp:CommonAccessCard|جهلسری بلوچی| [[::CommonAccessCard/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/bg | • {{#if: UbuntuHelp:CommonAccessCard|български| [[::CommonAccessCard/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/br | • {{#if: UbuntuHelp:CommonAccessCard|brezhoneg| [[::CommonAccessCard/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ca | • {{#if: UbuntuHelp:CommonAccessCard|català| [[::CommonAccessCard/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/cs | • {{#if: UbuntuHelp:CommonAccessCard|čeština| [[::CommonAccessCard/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/de | • {{#if: UbuntuHelp:CommonAccessCard|Deutsch| [[::CommonAccessCard/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/el | • {{#if: UbuntuHelp:CommonAccessCard|Ελληνικά| [[::CommonAccessCard/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/es | • {{#if: UbuntuHelp:CommonAccessCard|español| [[::CommonAccessCard/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/fa | • {{#if: UbuntuHelp:CommonAccessCard|فارسی| [[::CommonAccessCard/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/fi | • {{#if: UbuntuHelp:CommonAccessCard|suomi| [[::CommonAccessCard/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/fr | • {{#if: UbuntuHelp:CommonAccessCard|français| [[::CommonAccessCard/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/gu | • {{#if: UbuntuHelp:CommonAccessCard|ગુજરાતી| [[::CommonAccessCard/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/he | • {{#if: UbuntuHelp:CommonAccessCard|עברית| [[::CommonAccessCard/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/hu | • {{#if: UbuntuHelp:CommonAccessCard|magyar| [[::CommonAccessCard/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/id | • {{#if: UbuntuHelp:CommonAccessCard|Bahasa Indonesia| [[::CommonAccessCard/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/it | • {{#if: UbuntuHelp:CommonAccessCard|italiano| [[::CommonAccessCard/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ja | • {{#if: UbuntuHelp:CommonAccessCard|日本語| [[::CommonAccessCard/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ko | • {{#if: UbuntuHelp:CommonAccessCard|한국어| [[::CommonAccessCard/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ksh | • {{#if: UbuntuHelp:CommonAccessCard|Ripoarisch| [[::CommonAccessCard/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/mr | • {{#if: UbuntuHelp:CommonAccessCard|मराठी| [[::CommonAccessCard/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ms | • {{#if: UbuntuHelp:CommonAccessCard|Bahasa Melayu| [[::CommonAccessCard/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/nl | • {{#if: UbuntuHelp:CommonAccessCard|Nederlands| [[::CommonAccessCard/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/no | • {{#if: UbuntuHelp:CommonAccessCard|norsk| [[::CommonAccessCard/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/oc | • {{#if: UbuntuHelp:CommonAccessCard|occitan| [[::CommonAccessCard/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/pl | • {{#if: UbuntuHelp:CommonAccessCard|polski| [[::CommonAccessCard/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/pt | • {{#if: UbuntuHelp:CommonAccessCard|português| [[::CommonAccessCard/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ro | • {{#if: UbuntuHelp:CommonAccessCard|română| [[::CommonAccessCard/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ru | • {{#if: UbuntuHelp:CommonAccessCard|русский| [[::CommonAccessCard/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/si | • {{#if: UbuntuHelp:CommonAccessCard|සිංහල| [[::CommonAccessCard/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/sq | • {{#if: UbuntuHelp:CommonAccessCard|shqip| [[::CommonAccessCard/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/sr | • {{#if: UbuntuHelp:CommonAccessCard|српски / srpski| [[::CommonAccessCard/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/sv | • {{#if: UbuntuHelp:CommonAccessCard|svenska| [[::CommonAccessCard/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/th | • {{#if: UbuntuHelp:CommonAccessCard|ไทย| [[::CommonAccessCard/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/tr | • {{#if: UbuntuHelp:CommonAccessCard|Türkçe| [[::CommonAccessCard/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/vi | • {{#if: UbuntuHelp:CommonAccessCard|Tiếng Việt| [[::CommonAccessCard/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/yue | • {{#if: UbuntuHelp:CommonAccessCard|粵語| [[::CommonAccessCard/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/zh | • {{#if: UbuntuHelp:CommonAccessCard|中文| [[::CommonAccessCard/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/zh-hans | • {{#if: UbuntuHelp:CommonAccessCard|中文(简体)| [[::CommonAccessCard/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/zh-hant | • {{#if: UbuntuHelp:CommonAccessCard|中文(繁體)| [[::CommonAccessCard/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:CommonAccessCard|:CommonAccessCard|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :CommonAccessCard/zh | | {{#ifexist: CommonAccessCard/zh | | {{#ifeq: {{#titleparts:CommonAccessCard|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:CommonAccessCard|1|-1|}} | zh | | }}
The Department of Defense (DoD) issues Common Access Cards (CACs) which are smart cards set up in a particular way. You can use these cards for Public Key Infrastructure (PKI) Authentication and signing/encrypting/verifying/decrypting email and websites.
Public Key Infrastructure (PKI) Authentication
Get a `pcscd`/ccid compatible smart card reader. Verified readers are
- O2 Micro, Inc. Oz776
- SCM Micro SCR331
- Gemplus GemPC Card (PCMCIA)
- ActivCard USB Reader 2.0 (version information is found on the underside of the device)
- you must flash the reader to the latest firmware - [[1]]
- unless someone knows another way, this must be done from a windows machine
- you must flash the reader to the latest firmware - [[1]]
If you have trouble with your reader, review device compatibility at [[2]]
ActivCard USB Reader v2.0
ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at [[3]]. The rest of this guide was then followed without issue.
Gemplus GemPC Card (PCMCIA)
This card reader uses the ccid driver. Since it uses a serial port connection, you must tell pcscd where it is located. Before you begin, you need to install the software as shown in the next step. Once the `apt-get` procedure is completed, come back here to configure your reader. First, determine which serial port on which it has loaded. Insert the card into the pc card slot and run `dmesg` in a terminal. On my machine, it has loaded on `ttyS1`. You should get output similar to the following.
[ 5924.740035] pcmcia_socket pcmcia_socket0: pccard: PCMCIA card inserted into slot 0 [ 5924.740307] pcmcia 0.0: pcmcia: registering new device pcmcia0.0 [ 5924.881176] 0.0: ttyS1 at I/O 0x3f8 (irq = 16) is a 16450
Next, edit `/etc/reader.conf.d/libccidtwin` to add the following lines:
FRIENDLYNAME "GemPCTwin serial" DEVICENAME /dev/ttyS1 LIBPATH /usr/lib/pcsc/drivers/serial/libccidtwin.so CHANNELID 1
Then run `sudo update-reader.conf`, followed by `sudo service pcscd restart`. If everything worked correctly, you may proceed with the next step.
Install the Software
sudo apt-get install coolkey pcscd pcsc-tools
At this point you should be able to verify that your cac is working by running `pcsc_scan`. It should output something like this.
PC/SC device scanner V 1.4.8 (c) 2001-2006, Ludovic Rousseau <[email protected]> Compiled with PC/SC lite version: 1.3.2 Scanning present readers 0: SCM SCR 331 (21120725209424) 00 00 Sat Sep 22 12:28:23 2007 Reader 0: SCM SCR 331 (21120725209424) 00 00 Card state: Card inserted, ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 + TS = 3B --> Direct Convention + T0 = 6B, Y(1): 0110, K: 11 (historical bytes) TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 + Historical bytes: 80 65 B0 83 01 04 74 83 00 90 00 [[category:Category]] indicator byte: 80 (compact TLV data object) Tag: 6, len: 5 (pre-issuing data) Data: B0 83 01 04 74 Tag: 8, len: 3 (status indicator) LCS (life card cycle): 00 (No information given) SW: 9000 (Normal processing.) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 Gemplus GXP3 64V2N U.S. Department of Defense Common Access Card (DoD CAC)
If you see this:
SCardListReader: Cannot find a smart card reader. (0x8010002E) Waiting for the first reader...
... then you probably did not update your firmware. Read the instructions at the top of this article to see how to update your firmware.
Configure Firefox
To setup Firefox to authenticate with sites via SSL/PKI, you must:
- download the DoD Certificates so that you can verify the server, and
- setup firefox to read your client certificates from your CAC card.
DoD Certificates
The DoD has created a hierarchy of certificates. The top level certificate signs the intermediate certificate and the intermediate certificate signs the site's certificate in most cases. If you import and trust the top most certificate, it saves you from having to install and trust a significantly higher number of certificates. The easiest way to install DoD root certificates is to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install.
Advanced Install
You may also download the certificates and install each one using the following procedure.
- Preferences Menu
- Advanced Section
- Encryption Tab
- View Certificates Button
- Authorities Tab
- Import Button
Places to download the certificates are:
- https://crl.chamb.disa.mil/
- https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account)
Client Certificate Setup
- Insert CAC into reader - the green light should flash.
- Add `CAC Module` to Firefox as a Security Device
- Preferences Menu
- Advanced Section
- Encryption Tab
- Security Devices Button
- Load Button
- Enter `CAC Module` as the module name, and browse to `/usr/lib/pkcs11/libcoolkeypk11.so` for the module filename.
Testing
You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say Your PKI Certificate has been detected.
Configure Evolution
The Evolution email client does not currently have a means to configure the security device (CAC reader) through the GUI as does Firefox or Thunderbird. However, there is a fairly simple ([obscure]) workaround that can be executed from the command line. Mozilla's certificate database can be imported into Evolution by copying three files within a terminal window:
cd ~/.mozilla/firefox/*.default cp cert8.db key3.db secmod.db ~/.evolution/
This appears to import in all the DoD certificates and security devices (CAC reader) previously configured in Firefox as outlined in the above instructions. Look under the 'U.S. Government' heading to confirm ('Edit/Preferences.../Certificates/Authorities tab'). You'll need to select each individual certificate (ie "DOD CA-11"), click the 'Edit' button, and then select the boxes for both trust to ID sites, and trust to ID email users. Do this for all the certificates under the U.S. Government heading. This step is tedious, but you'll only need to do it once. Next, select the appropriate certificate for signing and encrypting email. From 'Edit/Preferences', click on 'Mail Accounts', select your previously configured AKO/DKO account (either POP or IMAP), click the 'Edit' button, and then the 'Security' tab. Under the 'Secure MIME (S/MIME)' heading, select both the signing and encryption certificates, and any of the option check boxes desired. When composing a new message, pull down the 'Security' menu and select 'S/MIME Sign' and/or 'S/MIME Encrypt' as appropriate. Please note the [[4]] of the above section has not yet fully tested this functionality, but initial testing was successful. Nevertheless, implement with caution. Note: There is currently no way to authenticate to the Exchange server though Evolution with a CaC and the above instructions are only to use the CaC for signing and encrypting the messages. This has been requested in [253574] and may be implemented in version 2.23.x. The bug tracker has a patch for those wishing to recompile Evolution with untested code.
Machine and Screensaver login with CAC
With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. First you need some libraries...
sudo apt-get install libssl-dev libpam0g-dev pkg-config
Then get the latest version of pam_pkcs11 from [[5]] Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded [[6]] into /tmp
cd /tmp tar -zxvf pam_pkcs11-0.6.0.tar.gz cd pam_pkcs11-0.6.0
then build pam_pkcs
./configure --prefix=/usr --exec-prefix=/usr make sudo make install sudo ln -s /usr/lib/security/pam_pkcs11.so /lib/security/pam_pkcs11.so
you should end up with files in the following directories /usr/lib/pam_pkcs11 and /usr/share/pam_pkcs11 According to various docs, make install should create a directory structure at /etc/pam_pkcs11 but it doesn't seem to, so create the following
sudo mkdir /etc/pam_pkcs11 sudo mkdir /etc/pam_pkcs11/crls sudo mkdir /etc/pam_pkcs11/cacerts sudo cp /usr/share/pam_pkcs11/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf sudo touch /etc/pam_pkcs11/subject_mapping
This will take care of the CAC Certs needed by your system:
wget --no-check-certificate https://airborne.nrl.navy.mil/PKI/AllDoDPKI.tar.gz sudo mv AllDoDPKI.tar.gz /etc/pam_pkcs11/cacerts/ cd /etc/pam_pkcs11/cacerts/ sudo tar -zxvf AllDoDPKI.tar.gz rm AllDoDPKI.tar.gz
This will take care of the Certificate Revocation Lists needed by your system:
wget --no-check-certificate https://crl.chamb.disa.mil/getcrlzip?ALL+CRL+ZIP sudo unzip getcrlzip\?ALL+CRL+ZIP -d /etc/pam_pkcs11/crls rm getcrlzip\?ALL+CRL+ZIP
Next, we will edit pam_pkcs11.conf to work properly with our system
sudo gedit /etc/pam_pkcs11/pam_pkcs11.conf
At roughly line 27 change the line that reads
use_pkcs11_module = opensc;
to be
use_pkcs11_module = coolkey;
at around line 72 or so add the following
# Coolkey Support pkcs11_module coolkey { module = /usr/lib/pkcs11/libcoolkeypk11.so description = "Coolkey"; slot_num = 0; support_threads = false; ca_dir = /etc/pam_pkcs11/cacerts; crl_dir = /etc/pam_pkcs11/crls; cert_policy = ca; }
Next scroll down until you see the line
use_mappers = digest, cn, pwent, uid, mail, subject, null;
and change it to
use_mappers = subject;
then save the file. At some point we'll figure out how to use the LDAP or other mappings - but the above will get you working for now. Next run the following command
pkcs11_inspect debug
and copy the line directly below "Printing data for mapper subject:", then run
sudo gedit /etc/pam_pkcs11/subject_mapping
and modify it so you have something like this
/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=your_cac_username -> local_username
Ok, we're almost done. Now edit /etc/pam.d/gdm and add the line "auth sufficient pam_pkcs11.so" to the top of the list so you have something like this
#%PAM-1.0 auth sufficient pam_pkcs11.so auth requisite pam_nologin.so auth required pam_env.so @include common-auth @include common-account session required pam_limits.so @include common-session @include common-password
Do the same for /etc/pam.d/gnome-screensaver
auth sufficient pam_pkcs11.so @include common-auth
If you're feeling really adventurous you can add the line to the top of /etc/pam.d/common-auth and Ubuntu will try to use CAC authentication for everything including ssh, su, sudo, etc. Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. One thing to note. If you are using a Windows virtual machine under VMware Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable.
Lock Gnome Screensaver on Card Removal
The package pcsc-tools includes the tool pcsc_scan. This command line application will print the insertion and removal of a Smart Card to the stdout. Using this information, a script can be written to recognize this change. The following script requires the package inotify-tools.
#!bash #!/bin/bash if [ $(pidof pcsc_scan) ]; then echo pcsc_scan is running else pcsc_scan -n > ~/cardscan.txt & fi while inotifywait ~/cardscan.txt do tail -n 3 ~/cardscan.txt | grep "XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX" if [ $? == 0 ]; then echo unlocked gnome-screensaver-command -d else tail -n 3 ~/cardscan.txt | grep removed if [ $? == 0 ]; then gnome-screensaver-command --lock -a fi fi done
After saving this script, you need to update line 13. Run pcsc_scan and look for the line that says "ATR: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX" on mine, it's the fourth line. The XX's will be unique to your card. Update the XX's in the script with your unique line. Make the script executable, and add it to System->Preferences->Startup Applications. This script will only unlock the screensaver if your CAC is inserted however, if you do not desire the unlock behavior, simply comment line 17: "gnome-screensaver-command -d".
References
Big thanks to [[7]] and his article [DoD CAC and smartcard Readers on Linux] Department of Defense PKI Management [[8]] Naval Research Laboratory DoD PKI Notes [[9]] and accompanying PDF [[10]]