UbuntuHelp:CommonAccessCard

文章出处:

https://help.ubuntu.com/community/CommonAccessCard

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

The Department of Defense (DoD) issues Common Access Cards (CACs) which are smart cards set up in a particular way. You can use these cards for Public Key Infrastructure (PKI) Authentication and signing/encrypting/verifying/decrypting email and websites.

Public Key Infrastructure (PKI) Authentication

Get a `pcscd`/ccid compatible smart card reader. Verified readers are

• O2 Micro, Inc. Oz776
• SCM Micro SCR331
• Gemplus GemPC Card (PCMCIA)
• ActivCard USB Reader 2.0 (version information is found on the underside of the device)
• you must flash the reader to the latest firmware - [1]
• unless someone knows another way, this must be done from a windows machine

If you have trouble with your reader, review device compatibility at [2]

ActivCard USB Reader v2.0

ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at [3]. The rest of this guide was then followed without issue.

Gemplus GemPC Card (PCMCIA)

This card reader uses the ccid driver. Since it uses a serial port connection, you must tell pcscd where it is located. Before you begin, you need to install the software as shown in the next step. Once the `apt-get` procedure is completed, come back here to configure your reader. First, determine which serial port on which it has loaded. Insert the card into the pc card slot and run `dmesg` in a terminal. On my machine, it has loaded on `ttyS1`. You should get output similar to the following.

[ 5924.740035] pcmcia_socket pcmcia_socket0: pccard: PCMCIA card inserted into slot 0
[ 5924.740307] pcmcia 0.0: pcmcia: registering new device pcmcia0.0
[ 5924.881176] 0.0: ttyS1 at I/O 0x3f8 (irq = 16) is a 16450

Next, edit `/etc/reader.conf.d/libccidtwin` to add the following lines:

FRIENDLYNAME      "GemPCTwin serial"
DEVICENAME        /dev/ttyS1
LIBPATH           /usr/lib/pcsc/drivers/serial/libccidtwin.so
CHANNELID         1

Then run `sudo update-reader.conf`, followed by `sudo service pcscd restart`. If everything worked correctly, you may proceed with the next step.

Install the Software

sudo apt-get install coolkey pcscd pcsc-tools

At this point you should be able to verify that your cac is working by running `pcsc_scan`. It should output something like this.

PC/SC device scanner
V 1.4.8 (c) 2001-2006, Ludovic Rousseau <[email protected]>
Compiled with PC/SC lite version: 1.3.2
Scanning present readers
0: SCM SCR 331 (21120725209424) 00 00

Sat Sep 22 12:28:23 2007
 Reader 0: SCM SCR 331 (21120725209424) 00 00
  Card state: Card inserted,
  ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00

ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00
+ TS = 3B --> Direct Convention
+ T0 = 6B, Y(1): 0110, K: 11 (historical bytes)
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
+ Historical bytes: 80 65 B0 83 01 04 74 83 00 90 00
  Category indicator byte: 80 (compact TLV data object)
    Tag: 6, len: 5 (pre-issuing data)
      Data: B0 83 01 04 74
    Tag: 8, len: 3 (status indicator)
      LCS (life card cycle): 00 (No information given)
      SW: 9000 (Normal processing.)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00
        Gemplus GXP3 64V2N
        U.S. Department of Defense Common Access Card (DoD CAC)

If you see this:

SCardListReader: Cannot find a smart card reader. (0x8010002E)
Waiting for the first reader...

... then you probably did not update your firmware. Read the instructions at the top of this article to see how to update your firmware.

Configure Firefox

To setup Firefox to authenticate with sites via SSL/PKI, you must:

• download the DoD Certificates so that you can verify the server, and
• setup firefox to read your client certificates from your CAC card.

DoD Certificates

The DoD has created a hierarchy of certificates. The top level certificate signs the intermediate certificate and the intermediate certificate signs the site's certificate in most cases. If you import and trust the top most certificate, it saves you from having to install and trust a significantly higher number of certificates. The easiest way to install DoD root certificates is to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install.

Advanced Install

You may also download the certificates and install each one using the following procedure.

1. Preferences Menu
2. Advanced Section
3. Encryption Tab
4. View Certificates Button
5. Authorities Tab
6. Import Button

Places to download the certificates are:

• https://crl.chamb.disa.mil/
• https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account)

Client Certificate Setup

1. Insert CAC into reader - the green light should flash.
2. Add `CAC Module` to Firefox as a Security Device
   1. Preferences Menu
   2. Advanced Section
   3. Encryption Tab
   4. Security Devices Button
   5. Load Button
   6. Enter `CAC Module` as the module name, and browse to `/usr/lib/pkcs11/libcoolkeypk11.so` for the module filename.

   Testing

   You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say Your PKI Certificate has been detected.

   Configure Evolution

   The Evolution email client does not currently have a means to configure the security device (CAC reader) through the GUI as does Firefox or Thunderbird. However, there is a fairly simple (but obscure) workaround that can be executed from the command line. Mozilla's certificate database can be imported into Evolution by copying three files within a terminal window:

   cd ~/.mozilla/firefox/*.default
   cp cert8.db key3.db secmod.db ~/.evolution/
   

   This appears to import in all the DoD certificates and security devices (CAC reader) previously configured in Firefox as outlined in the above instructions. Look under the 'U.S. Government' heading to confirm ('Edit/Preferences.../Certificates/Authorities tab'). You'll need to select each individual certificate (ie "DOD CA-11"), click the 'Edit' button, and then select the boxes for both trust to ID sites, and trust to ID email users. Do this for all the certificates under the U.S. Government heading. This step is tedious, but you'll only need to do it once. Next, select the appropriate certificate for signing and encrypting email. From 'Edit/Preferences', click on 'Mail Accounts', select your previously configured AKO/DKO account (either POP or IMAP), click the 'Edit' button, and then the 'Security' tab. Under the 'Secure MIME (S/MIME)' heading, select both the signing and encryption certificates, and any of the option check boxes desired. When composing a new message, pull down the 'Security' menu and select 'S/MIME Sign' and/or 'S/MIME Encrypt' as appropriate. Please note the author of the above section has not yet fully tested this functionality, but initial testing was successful. Nevertheless, implement with caution. Note: There is currently no way to authenticate to the Exchange server though Evolution with a CaC and the above instructions are only to use the CaC for signing and encrypting the messages. This has been requested in Bug 253574 and may be implemented in version 2.23.x. The bug tracker has a patch for those wishing to recompile Evolution with untested code.

   Machine and Screensaver login with CAC

   With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. First you need some libraries...

   sudo apt-get install libssl-dev libpam0g-dev pkg-config
   

   Then get the latest version of pam_pkcs11 from [4] Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded pam_pkcs11-0.6.0.tar.gz into /tmp

   cd /tmp
   tar -zxvf pam_pkcs11-0.6.0.tar.gz
   cd pam_pkcs11-0.6.0
   

   then build pam_pkcs

   ./configure --prefix=/usr --exec-prefix=/usr
   make
   sudo make install
   sudo ln -s /usr/lib/security/pam_pkcs11.so /lib/security/pam_pkcs11.so
   

   you should end up with files in the following directories /usr/lib/pam_pkcs11 and /usr/share/pam_pkcs11 According to various docs, make install should create a directory structure at /etc/pam_pkcs11 but it doesn't seem to, so create the following

   sudo mkdir /etc/pam_pkcs11
   sudo mkdir /etc/pam_pkcs11/crls
   sudo mkdir /etc/pam_pkcs11/cacerts
   sudo cp /usr/share/pam_pkcs11/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf
   sudo touch /etc/pam_pkcs11/subject_mapping
   

   This will take care of the CAC Certs needed by your system:

   wget --no-check-certificate https://airborne.nrl.navy.mil/PKI/AllDoDPKI.tar.gz
   sudo mv AllDoDPKI.tar.gz /etc/pam_pkcs11/cacerts/
   cd /etc/pam_pkcs11/cacerts/
   sudo tar -zxvf AllDoDPKI.tar.gz
   rm AllDoDPKI.tar.gz
   

   This will take care of the Certificate Revocation Lists needed by your system:

   wget --no-check-certificate https://crl.chamb.disa.mil/getcrlzip?ALL+CRL+ZIP
   sudo unzip getcrlzip\?ALL+CRL+ZIP -d /etc/pam_pkcs11/crls
   rm getcrlzip\?ALL+CRL+ZIP
   

   Next, we will edit pam_pkcs11.conf to work properly with our system

   sudo gedit /etc/pam_pkcs11/pam_pkcs11.conf
   

   At roughly line 27 change the line that reads

   use_pkcs11_module = opensc;
   

   to be

   use_pkcs11_module = coolkey;
   

   at around line 72 or so add the following

     # Coolkey Support
     pkcs11_module coolkey {
       module = /usr/lib/pkcs11/libcoolkeypk11.so 
       description = "Coolkey";
       slot_num = 0;
       support_threads = false;
       ca_dir = /etc/pam_pkcs11/cacerts;
       crl_dir = /etc/pam_pkcs11/crls;
       cert_policy = ca;
     }
   

   Next scroll down until you see the line

   use_mappers = digest, cn, pwent, uid, mail, subject, null;
   

   and change it to

   use_mappers = subject;
   

   then save the file. At some point we'll figure out how to use the LDAP or other mappings - but the above will get you working for now. Next run the following command

   pkcs11_inspect debug
   

   and copy the line directly below "Printing data for mapper subject:", then run

   sudo gedit /etc/pam_pkcs11/subject_mapping
   

   and modify it so you have something like this

   /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=your_cac_username -> local_username
   

   Ok, we're almost done. Now edit /etc/pam.d/gdm and add the line "auth sufficient pam_pkcs11.so" to the top of the list so you have something like this

   #%PAM-1.0
   auth    sufficient      pam_pkcs11.so
   auth    requisite       pam_nologin.so
   auth    required        pam_env.so
   @include common-auth
   @include common-account
   session required        pam_limits.so
   @include common-session
   @include common-password
   

   Do the same for /etc/pam.d/gnome-screensaver

   auth    sufficient      pam_pkcs11.so
   @include common-auth
   

   If you're feeling really adventurous you can add the line to the top of /etc/pam.d/common-auth and Ubuntu will try to use CAC authentication for everything including ssh, su, sudo, etc. Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. One thing to note. If you are using a Windows virtual machine under VMware Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable.

   Lock Gnome Screensaver on Card Removal

   The package pcsc-tools includes the tool pcsc_scan. This command line application will print the insertion and removal of a Smart Card to the stdout. Using this information, a script can be written to recognize this change. The following script requires the package inotify-tools.

   #!bash
   
   #!/bin/bash
   
   if [ $(pidof pcsc_scan) ]; then 
          echo pcsc_scan is running
   else
          pcsc_scan -n > ~/cardscan.txt &
   fi
   
   while inotifywait ~/cardscan.txt
   
   do
   
   tail -n 3 ~/cardscan.txt | grep "XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX"
   
   if [ $? == 0 ]; then
           echo unlocked
   	gnome-screensaver-command -d
   else
   	tail -n 3 ~/cardscan.txt | grep removed
   	if [ $? == 0 ]; then
   		gnome-screensaver-command --lock -a
   	fi
   fi
   done
   

   After saving this script, you need to update line 13. Run pcsc_scan and look for the line that says "ATR: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX" on mine, it's the fourth line. The XX's will be unique to your card. Update the XX's in the script with your unique line. Make the script executable, and add it to System->Preferences->Startup Applications. This script will only unlock the screensaver if your CAC is inserted however, if you do not desire the unlock behavior, simply comment line 17: "gnome-screensaver-command -d".

   References

   Big thanks to symbolik and his article Using DoD CAC and smartcard Readers on Linux Department of Defense PKI Management [5] Naval Research Laboratory DoD PKI Notes [6] and accompanying PDF [7]

   Relevant Discussion Threads

   • [8]
   • [9]
   • [10]
   • [11]