特殊:Badtitle/NS100:CommonAccessCard:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
第8行: | 第8行: | ||
* http://www.cdw.com/shop/products/default.aspx?EDC=419432 | * http://www.cdw.com/shop/products/default.aspx?EDC=419432 | ||
* http://computers.pricegrabber.com/flash-memory-readers-accs/m/38231912/search=SCR331 | * http://computers.pricegrabber.com/flash-memory-readers-accs/m/38231912/search=SCR331 | ||
* you must flash the reader to the latest firmware - [http://www.txsystems.com/scm.html] | * you must flash the reader to the latest firmware - [[http://www.txsystems.com/scm.html]] | ||
* unless someone knows another way, this must be done from a windows machine | * unless someone knows another way, this must be done from a windows machine | ||
=== 28 December 2007 Update: ActivCard USB Reader v2.0 working! === | === 28 December 2007 Update: ActivCard USB Reader v2.0 working! === | ||
ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at [http://symbolik.wordpress.com/2007/02/26/scm-scr-331-usb-smartcard-reader-firmware-upgrade/]. The rest of this guide was then followed without issue. | ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at [[http://symbolik.wordpress.com/2007/02/26/scm-scr-331-usb-smartcard-reader-firmware-upgrade/]]. The rest of this guide was then followed without issue. | ||
=== Install the Software === | === Install the Software === | ||
<pre><nowiki> | <pre><nowiki> | ||
第52行: | 第52行: | ||
U.S. Department of Defense Common Access Card (DoD CAC) | U.S. Department of Defense Common Access Card (DoD CAC) | ||
</nowiki></pre> | </nowiki></pre> | ||
Download and extract the [http://directory.fedoraproject.org/wiki/CoolKey#Download_the_latest_version latest stable version of CoolKey]. (verified with 1.1.0) Once you've extracted the files to a folder open up a terminal and `cd` to that directory and run the following commands. | Download and extract the [[http://directory.fedoraproject.org/wiki/CoolKey#Download_the_latest_version|latest stable version of CoolKey]]. (verified with 1.1.0) Once you've extracted the files to a folder open up a terminal and `cd` to that directory and run the following commands. | ||
NOTE: Coolkey is in the repository for Gutsy - [http://packages.ubuntu.com/gutsy/admin/coolkey] | NOTE: Coolkey is in the repository for Gutsy - [[http://packages.ubuntu.com/gutsy/admin/coolkey]] | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo mkdir /usr/cac | sudo mkdir /usr/cac | ||
第106行: | 第106行: | ||
sudo apt-get install libssl-dev libpam0g-dev | sudo apt-get install libssl-dev libpam0g-dev | ||
</nowiki></pre> | </nowiki></pre> | ||
Then get the latest version of pam_pkcs11 from [http://www.opensc-project.org/files/pam_pkcs11] | Then get the latest version of pam_pkcs11 from [[http://www.opensc-project.org/files/pam_pkcs11]] | ||
Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded [http://www.opensc-project.org/files/pam_pkcs11/pam_pkcs11-0.6.0.tar.gz pam_pkcs11-0.6.0.tar.gz] into /tmp | Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded [[http://www.opensc-project.org/files/pam_pkcs11/pam_pkcs11-0.6.0.tar.gz|pam_pkcs11-0.6.0.tar.gz]] into /tmp | ||
<pre><nowiki> | <pre><nowiki> | ||
cd /tmp | cd /tmp | ||
第207行: | 第207行: | ||
Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. | Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. | ||
One thing to note. If you are using a Windows virtual machine under [[UbuntuHelp:VMware|VMware]] Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable. | One thing to note. If you are using a Windows virtual machine under [[UbuntuHelp:VMware|VMware]] Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable. | ||
=== Lock Gnome Screensaver on Card Removal === | |||
The package ''pcsc-tools'' includes the tool ''pcsc_scan''. This command line application will print the insertion and removal of a Smart Card to the stdout. Using this information, a script can be written to recognize this change. The following script requires the package '''inotify-tools'''. | |||
<pre><nowiki>#!bash | |||
#!/bin/bash | |||
if [ $(pidof pcsc_scan) ]; then | |||
echo pcsc_scan is running | |||
else | |||
pcsc_scan -n > ~/cardscan.txt & | |||
fi | |||
while inotifywait ~/cardscan.txt | |||
do | |||
tail -n 3 ~/cardscan.txt | grep inserted | |||
if [ $? == 0 ]; then | |||
echo unlocked | |||
gnome-screensaver-command -d | |||
else | |||
tail -n 3 ~/cardscan.txt | grep removed | |||
if [ $? == 0 ]; then | |||
gnome-screensaver-command --lock -a | |||
fi | |||
fi | |||
done | |||
</nowiki></pre> | |||
Just save this script, make it executable, and add it to System->Preferences->Sessions. Keep in mind that this script will unlock for the insertion of '''any''' smart card. If you do not desire the unlock behavior, simply comment line 17: "gnome-screensaver-command -d". | |||
== References == | == References == | ||
Big thanks to [http://symbolik.wordpress.com/about/ symbolik] and his article [http://symbolik.wordpress.com/2007/02/25/using-dod-cac-and-smartcard-readers-on-linux/ Using DoD CAC and smartcard Readers on Linux] | Big thanks to [[http://symbolik.wordpress.com/about/|symbolik]] and his article [[http://symbolik.wordpress.com/2007/02/25/using-dod-cac-and-smartcard-readers-on-linux/|Using DoD CAC and smartcard Readers on Linux]] | ||
Department of Defense PKI Management [https://crl.chamb.disa.mil/] | Department of Defense PKI Management [[https://crl.chamb.disa.mil/]] | ||
Naval Research Laboratory DoD PKI Notes [https://airborne.nrl.navy.mil/PKI/] and accompanying PDF [http://www7320.nrlssc.navy.mil/pubs/2006/CommonAccessCardLinux.pdf] | Naval Research Laboratory DoD PKI Notes [[https://airborne.nrl.navy.mil/PKI/]] and accompanying PDF [[http://www7320.nrlssc.navy.mil/pubs/2006/CommonAccessCardLinux.pdf]] | ||
=== Relevant Discussion Threads === | === Relevant Discussion Threads === | ||
* [http://ubuntuforums.org/showthread.php?t=457084] | * [[http://ubuntuforums.org/showthread.php?t=457084]] | ||
* [http://ubuntuforums.org/showthread.php?t=294200] | * [[http://ubuntuforums.org/showthread.php?t=294200]] | ||
* [http://ubuntuforums.org/showthread.php?t=454234] | * [[http://ubuntuforums.org/showthread.php?t=454234]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2008年10月19日 (日) 04:36的版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/CommonAccessCard }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/af | • {{#if: UbuntuHelp:CommonAccessCard|Afrikaans| [[::CommonAccessCard/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ar | • {{#if: UbuntuHelp:CommonAccessCard|العربية| [[::CommonAccessCard/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/az | • {{#if: UbuntuHelp:CommonAccessCard|azərbaycanca| [[::CommonAccessCard/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/bcc | • {{#if: UbuntuHelp:CommonAccessCard|جهلسری بلوچی| [[::CommonAccessCard/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/bg | • {{#if: UbuntuHelp:CommonAccessCard|български| [[::CommonAccessCard/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/br | • {{#if: UbuntuHelp:CommonAccessCard|brezhoneg| [[::CommonAccessCard/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ca | • {{#if: UbuntuHelp:CommonAccessCard|català| [[::CommonAccessCard/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/cs | • {{#if: UbuntuHelp:CommonAccessCard|čeština| [[::CommonAccessCard/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/de | • {{#if: UbuntuHelp:CommonAccessCard|Deutsch| [[::CommonAccessCard/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/el | • {{#if: UbuntuHelp:CommonAccessCard|Ελληνικά| [[::CommonAccessCard/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/es | • {{#if: UbuntuHelp:CommonAccessCard|español| [[::CommonAccessCard/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/fa | • {{#if: UbuntuHelp:CommonAccessCard|فارسی| [[::CommonAccessCard/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/fi | • {{#if: UbuntuHelp:CommonAccessCard|suomi| [[::CommonAccessCard/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/fr | • {{#if: UbuntuHelp:CommonAccessCard|français| [[::CommonAccessCard/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/gu | • {{#if: UbuntuHelp:CommonAccessCard|ગુજરાતી| [[::CommonAccessCard/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/he | • {{#if: UbuntuHelp:CommonAccessCard|עברית| [[::CommonAccessCard/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/hu | • {{#if: UbuntuHelp:CommonAccessCard|magyar| [[::CommonAccessCard/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/id | • {{#if: UbuntuHelp:CommonAccessCard|Bahasa Indonesia| [[::CommonAccessCard/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/it | • {{#if: UbuntuHelp:CommonAccessCard|italiano| [[::CommonAccessCard/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ja | • {{#if: UbuntuHelp:CommonAccessCard|日本語| [[::CommonAccessCard/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ko | • {{#if: UbuntuHelp:CommonAccessCard|한국어| [[::CommonAccessCard/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ksh | • {{#if: UbuntuHelp:CommonAccessCard|Ripoarisch| [[::CommonAccessCard/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/mr | • {{#if: UbuntuHelp:CommonAccessCard|मराठी| [[::CommonAccessCard/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ms | • {{#if: UbuntuHelp:CommonAccessCard|Bahasa Melayu| [[::CommonAccessCard/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/nl | • {{#if: UbuntuHelp:CommonAccessCard|Nederlands| [[::CommonAccessCard/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/no | • {{#if: UbuntuHelp:CommonAccessCard|norsk| [[::CommonAccessCard/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/oc | • {{#if: UbuntuHelp:CommonAccessCard|occitan| [[::CommonAccessCard/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/pl | • {{#if: UbuntuHelp:CommonAccessCard|polski| [[::CommonAccessCard/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/pt | • {{#if: UbuntuHelp:CommonAccessCard|português| [[::CommonAccessCard/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ro | • {{#if: UbuntuHelp:CommonAccessCard|română| [[::CommonAccessCard/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/ru | • {{#if: UbuntuHelp:CommonAccessCard|русский| [[::CommonAccessCard/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/si | • {{#if: UbuntuHelp:CommonAccessCard|සිංහල| [[::CommonAccessCard/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/sq | • {{#if: UbuntuHelp:CommonAccessCard|shqip| [[::CommonAccessCard/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/sr | • {{#if: UbuntuHelp:CommonAccessCard|српски / srpski| [[::CommonAccessCard/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/sv | • {{#if: UbuntuHelp:CommonAccessCard|svenska| [[::CommonAccessCard/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/th | • {{#if: UbuntuHelp:CommonAccessCard|ไทย| [[::CommonAccessCard/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/tr | • {{#if: UbuntuHelp:CommonAccessCard|Türkçe| [[::CommonAccessCard/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/vi | • {{#if: UbuntuHelp:CommonAccessCard|Tiếng Việt| [[::CommonAccessCard/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/yue | • {{#if: UbuntuHelp:CommonAccessCard|粵語| [[::CommonAccessCard/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/zh | • {{#if: UbuntuHelp:CommonAccessCard|中文| [[::CommonAccessCard/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/zh-hans | • {{#if: UbuntuHelp:CommonAccessCard|中文(简体)| [[::CommonAccessCard/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:CommonAccessCard | UbuntuHelp:CommonAccessCard | {{#if: | :}}CommonAccessCard}}/zh-hant | • {{#if: UbuntuHelp:CommonAccessCard|中文(繁體)| [[::CommonAccessCard/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:CommonAccessCard|:CommonAccessCard|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :CommonAccessCard/zh | | {{#ifexist: CommonAccessCard/zh | | {{#ifeq: {{#titleparts:CommonAccessCard|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:CommonAccessCard|1|-1|}} | zh | | }}
The Department of Defense (DoD) issues Common Access Cards (CACs) which are smart cards set up in a particular way. You can use these cards for Public Key Infrastructure (PKI) Authentication and signing/encrypting/verifying/decrypting email.
Public Key Infrastructure (PKI) Authentication
Get a `pcscd`/ccid compatible smart card reader. Verified readers are
- SCM Micro SCR331
- ActivCard USB Reader 2.0 (version information is found on the underside of the device)
- http://www.cdw.com/shop/products/default.aspx?EDC=419432
- http://computers.pricegrabber.com/flash-memory-readers-accs/m/38231912/search=SCR331
- you must flash the reader to the latest firmware - [[1]]
- unless someone knows another way, this must be done from a windows machine
28 December 2007 Update: ActivCard USB Reader v2.0 working!
ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at [[2]]. The rest of this guide was then followed without issue.
Install the Software
sudo apt-get install pcscd pcsc-tools libccid libpcsclite-dev
NOTE: libpcsclite-dev is only needed for Coolkey compililation since it's currently not a debian package. For Ubuntu Feisty recommend the following or you may get dependency errors when compiling Coolkey
sudo apt-get install libusb-0.1-4 libpcsclite1 libpcsclite-dev pcscd pcsc-tools build-essential autoconf xlibs-dev libccid
At this point you should be able to verify that your cac is working by running `pcsc_scan`. It should output something like this.
PC/SC device scanner V 1.4.8 (c) 2001-2006, Ludovic Rousseau <[email protected]> Compiled with PC/SC lite version: 1.3.2 Scanning present readers 0: SCM SCR 331 (21120725209424) 00 00 Sat Sep 22 12:28:23 2007 Reader 0: SCM SCR 331 (21120725209424) 00 00 Card state: Card inserted, ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 + TS = 3B --> Direct Convention + T0 = 6B, Y(1): 0110, K: 11 (historical bytes) TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 + Historical bytes: 80 65 B0 83 01 04 74 83 00 90 00 Category indicator byte: 80 (compact TLV data object) Tag: 6, len: 5 (pre-issuing data) Data: B0 83 01 04 74 Tag: 8, len: 3 (status indicator) LCS (life card cycle): 00 (No information given) SW: 9000 (Normal processing.) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 Gemplus GXP3 64V2N U.S. Department of Defense Common Access Card (DoD CAC)
Download and extract the [stable version of CoolKey]. (verified with 1.1.0) Once you've extracted the files to a folder open up a terminal and `cd` to that directory and run the following commands. NOTE: Coolkey is in the repository for Gutsy - [[3]]
sudo mkdir /usr/cac ./configure --prefix=/usr/cac make sudo make install
At this point your hardware and drivers are setup.
Configure Firefox
To setup Firefox to authenticate with sites via SSL/PKI, you must:
- download the DoD Certificates so that you can verify the server, and
- setup firefox to read your client certificates from your CAC card.
DoD Certificates
The DoD has created a hierarchy of certificates. The top level certificate signs the intermediate certificate and the intermediate certificate signs the site's certificate in most cases. If you import and trust the top most certificate, it saves you from having to install and trust a significantly higher number of certificates. I believe the hierarchy looks something like this
- ECA Root CA - See http://iase.disa.mil/pki/eca/
- DoD Root CA
- DoD CLASS 3 Root CA
- DoD CLASS 3 CA-X (1-
- DoD Root CA 2
I don't know what the classes represent. This hierarchy is probably not correct. The easiest way to install fairly high level certificates is to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install.
Advanced Install
You may also download the certificates and install each one using the following procedure.
- Preferences Menu
- Advanced Section
- Encryption Tab
- View Certificates Button
- Authorities Tab
- Import Button
Places to download the certificates are:
- https://crl.chamb.disa.mil/
- https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account)
Client Certificate Setup
- Insert CAC into reader - the green light should flash.
- Add `CAC Module` to Firefox as a Security Device
- Preferences Menu
- Advanced Section
- Encryption Tab
- Security Devices Button
- Load Button
- Enter `CAC Module` as the module name, and browse to `/usr/cac/lib/pkcs11/libcoolkeypk11.so` for the module filename.
28 January 2008 Update:
If Coolkey is installed via the Ubuntu repository, the module location may not be '/usr/cac/lib/pkcs11/libcoolkeypk11.so'. Instead, try '/usr/lib/pkcs11/libcoolkeypk11.so'.
Testing
You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say Your PKI Certificate has been detected.
Machine and Screensaver login with CAC
With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. First you need some libraries...
sudo apt-get install libssl-dev libpam0g-dev
Then get the latest version of pam_pkcs11 from [[4]] Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded [[5]] into /tmp
cd /tmp tar -zxvf pam_pkcs11-0.6.0.tar.gz cd pam_pkcs11-0.6.0
then build pam_pkcs
./configure --prefix=/usr --exec-prefix=/usr make sudo make install ln -s /usr/lib/security/pam_pkcs11.so /lib/security/pam_pkcs11.so
you should end up with files in the following directories /usr/lib/pam_pkcs11 and /usr/share/pam_pkcs11 According to various docs, make install should create a directory structure at /etc/pam_pkcs11 but it doesn't seem to, so create the following
sudo mkdir /etc/pam_pkcs11 sudo mkdir /etc/pam_pkcs11/crls sudo mkdir /etc/pam_pkcs11/cacerts sudo cp /usr/share/pam_pkcs11/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf sudo touch /etc/pam_pkcs11/subject_mapping
This will take care of the CAC Certs needed by your system:
wget --no-check-certificate https://airborne.nrl.navy.mil/PKI/AllDoDPKI.tar.gz sudo tar -zxvf AllDoDPKI.tar.gz /etc/pam_pkcs11/cacerts rm AllDoDPKI.tar.gz
This will take care of the Certificate Revocation Lists needed by your system:
wget --no-check-certificate https://crl.chamb.disa.mil/getcrlzip?ALL+CRL+ZIP sudo unzip getcrlzip\?ALL+CRL+ZIP -d /etc/pam_pkcs11/crls rm getcrlzip\?ALL+CRL+ZIP
Next, we will edit pam_pkcs11.conf to work properly with our system
sudo gedit /etc/pam_pkcs11/pam_pkcs11.conf
At roughly line 27 change the line that reads
use_pkcs11_module = opensc;
to be
use_pkcs11_module = coolkey;
at around line 72 or so add the following
# Coolkey Support pkcs11_module coolkey { module = /usr/cac/lib/pkcs11/libcoolkeypk11.so description = "Coolkey"; slot_num = 0; support_threads = false; ca_dir = /etc/pam_pkcs11/cacerts; crl_dir = /etc/pam_pkcs11/crls; cert_policy = ca; }
Next scroll down until you see the line
use_mappers = digest, cn, pwent, uid, mail, subject, null;
and change it to
use_mappers = subject;
then save the file. At some point we'll figure out how to use the LDAP or other mappings - but the above will get you working for now. Next run the following command
pkcs11_inspect debug
and copy the line directly below "Printing data for mapper subject:", then run
sudo gedit /etc/pam_pkcs11/subject_mapping
and modify it so you have something like this
/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=your_cac_username -> local_username
Ok, we're almost done. Now edit /etc/pam.d/gdm and add the line "auth sufficient pam_pkcs11.so" to the top of the list so you have something like this
#%PAM-1.0 auth sufficient pam_pkcs11.so auth requisite pam_nologin.so auth required pam_env.so @include common-auth @include common-account session required pam_limits.so @include common-session @include common-password
Do the same for /etc/pam.d/gnome-screensaver
auth sufficient pam_pkcs11.so @include common-auth
If you're feeling really adventurous you can add the line to the top of /etc/pam.d/common-auth and Ubuntu will try to use CAC authentication for everything including ssh, su, sudo, etc. Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. One thing to note. If you are using a Windows virtual machine under VMware Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable.
Lock Gnome Screensaver on Card Removal
The package pcsc-tools includes the tool pcsc_scan. This command line application will print the insertion and removal of a Smart Card to the stdout. Using this information, a script can be written to recognize this change. The following script requires the package inotify-tools.
#!bash #!/bin/bash if [ $(pidof pcsc_scan) ]; then echo pcsc_scan is running else pcsc_scan -n > ~/cardscan.txt & fi while inotifywait ~/cardscan.txt do tail -n 3 ~/cardscan.txt | grep inserted if [ $? == 0 ]; then echo unlocked gnome-screensaver-command -d else tail -n 3 ~/cardscan.txt | grep removed if [ $? == 0 ]; then gnome-screensaver-command --lock -a fi fi done
Just save this script, make it executable, and add it to System->Preferences->Sessions. Keep in mind that this script will unlock for the insertion of any smart card. If you do not desire the unlock behavior, simply comment line 17: "gnome-screensaver-command -d".
References
Big thanks to [[6]] and his article [DoD CAC and smartcard Readers on Linux] Department of Defense PKI Management [[7]] Naval Research Laboratory DoD PKI Notes [[8]] and accompanying PDF [[9]]
Relevant Discussion Threads