“UbuntuHelp:CommonAccessCard”的版本间的差异

2010年5月19日 (三) 17:01的版本

文章出处:

https://help.ubuntu.com/community/CommonAccessCard

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

The Department of Defense (DoD) issues Common Access Cards (CACs) which are smart cards set up in a particular way. You can use these cards for Public Key Infrastructure (PKI) Authentication and signing/encrypting/verifying/decrypting email and websites.

Public Key Infrastructure (PKI) Authentication

Get a `pcscd`/ccid compatible smart card reader. Verified readers are

• O2 Micro, Inc. Oz776
• SCM Micro SCR331
• Gemplus GemPC Card (PCMCIA)
• ActivCard USB Reader 2.0 (version information is found on the underside of the device)
  • you must flash the reader to the latest firmware - [[1]]
    • unless someone knows another way, this must be done from a windows machine

If you have trouble with your reader, review device compatibility at [[2]]

ActivCard USB Reader v2.0

ActivCard USB Reader v2.0 P/N ZFG-9800-AD was flashed using the instructions at [[3]]. The rest of this guide was then followed without issue.

Gemplus GemPC Card (PCMCIA)

This card reader uses the ccid driver. Since it uses a serial port connection, you must tell pcscd where it is located. Before you begin, you need to install the software as shown in the next step. Once the `apt-get` procedure is completed, come back here to configure your reader. First, determine which serial port on which it has loaded. Insert the card into the pc card slot and run `dmesg` in a terminal. On my machine, it has loaded on `ttyS1`. You should get output similar to the following.

[ 5924.740035] pcmcia_socket pcmcia_socket0: pccard: PCMCIA card inserted into slot 0
[ 5924.740307] pcmcia 0.0: pcmcia: registering new device pcmcia0.0
[ 5924.881176] 0.0: ttyS1 at I/O 0x3f8 (irq = 16) is a 16450

Next, edit `/etc/reader.conf.d/libccidtwin` to add the following lines:

FRIENDLYNAME      "GemPCTwin serial"
DEVICENAME        /dev/ttyS1
LIBPATH           /usr/lib/pcsc/drivers/serial/libccidtwin.so
CHANNELID         1

Then run `sudo update-reader.conf`, followed by `sudo service pcscd restart`. If everything worked correctly, you may proceed with the next step.

Install the Software

sudo apt-get install coolkey pcscd pcsc-tools

At this point you should be able to verify that your cac is working by running `pcsc_scan`. It should output something like this.

PC/SC device scanner
V 1.4.8 (c) 2001-2006, Ludovic Rousseau <[email protected]>
Compiled with PC/SC lite version: 1.3.2
Scanning present readers
0: SCM SCR 331 (21120725209424) 00 00
Sat Sep 22 12:28:23 2007
Reader 0: SCM SCR 331 (21120725209424) 00 00
Card state: Card inserted,
ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00
ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00
+ TS = 3B --> Direct Convention
+ T0 = 6B, Y(1): 0110, K: 11 (historical bytes)
TB(1) = 00 --> VPP is not electrically connected
TC(1) = 00 --> Extra guard time: 0
+ Historical bytes: 80 65 B0 83 01 04 74 83 00 90 00
[[category:Category]] indicator byte: 80 (compact TLV data object)
Tag: 6, len: 5 (pre-issuing data)
Data: B0 83 01 04 74
Tag: 8, len: 3 (status indicator)
LCS (life card cycle): 00 (No information given)
SW: 9000 (Normal processing.)
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00
Gemplus GXP3 64V2N
U.S. Department of Defense Common Access Card (DoD CAC)

If you see this:

SCardListReader: Cannot find a smart card reader. (0x8010002E)
Waiting for the first reader...

... then you probably did not update your firmware. Read the instructions at the top of this article to see how to update your firmware.

Configure Firefox

To setup Firefox to authenticate with sites via SSL/PKI, you must:

• download the DoD Certificates so that you can verify the server, and
• setup firefox to read your client certificates from your CAC card.

DoD Certificates

The DoD has created a hierarchy of certificates. The top level certificate signs the intermediate certificate and the intermediate certificate signs the site's certificate in most cases. If you import and trust the top most certificate, it saves you from having to install and trust a significantly higher number of certificates. The easiest way to install DoD root certificates is to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install.

Advanced Install

You may also download the certificates and install each one using the following procedure.

1. Preferences Menu
2. Advanced Section
3. Encryption Tab
4. View Certificates Button
5. Authorities Tab
6. Import Button

Places to download the certificates are:

• https://crl.chamb.disa.mil/
• https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account)

Client Certificate Setup

1. Insert CAC into reader - the green light should flash.
2. Add `CAC Module` to Firefox as a Security Device
   1. Preferences Menu
   2. Advanced Section
   3. Encryption Tab
   4. Security Devices Button
   5. Load Button
   6. Enter `CAC Module` as the module name, and browse to `/usr/lib/pkcs11/libcoolkeypk11.so` for the module filename.

Testing

You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say Your PKI Certificate has been detected.

Configure Evolution

The Evolution email client does not currently have a means to configure the security device (CAC reader) through the GUI as does Firefox or Thunderbird. However, there is a fairly simple ([obscure]) workaround that can be executed from the command line. Mozilla's certificate database can be imported into Evolution by copying three files within a terminal window:

cd ~/.mozilla/firefox/*.default
cp cert8.db key3.db secmod.db ~/.evolution/

This appears to import in all the DoD certificates and security devices (CAC reader) previously configured in Firefox as outlined in the above instructions. Look under the 'U.S. Government' heading to confirm ('Edit/Preferences.../Certificates/Authorities tab'). You'll need to select each individual certificate (ie "DOD CA-11"), click the 'Edit' button, and then select the boxes for both trust to ID sites, and trust to ID email users. Do this for all the certificates under the U.S. Government heading. This step is tedious, but you'll only need to do it once. Next, select the appropriate certificate for signing and encrypting email. From 'Edit/Preferences', click on 'Mail Accounts', select your previously configured AKO/DKO account (either POP or IMAP), click the 'Edit' button, and then the 'Security' tab. Under the 'Secure MIME (S/MIME)' heading, select both the signing and encryption certificates, and any of the option check boxes desired. When composing a new message, pull down the 'Security' menu and select 'S/MIME Sign' and/or 'S/MIME Encrypt' as appropriate. Please note the [[4]] of the above section has not yet fully tested this functionality, but initial testing was successful. Nevertheless, implement with caution. Note: There is currently no way to authenticate to the Exchange server though Evolution with a CaC and the above instructions are only to use the CaC for signing and encrypting the messages. This has been requested in [253574] and may be implemented in version 2.23.x. The bug tracker has a patch for those wishing to recompile Evolution with untested code.

Machine and Screensaver login with CAC

With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. First you need some libraries...

sudo apt-get install libssl-dev libpam0g-dev pkg-config

Then get the latest version of pam_pkcs11 from [[5]] Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded [[6]] into /tmp

cd /tmp
tar -zxvf pam_pkcs11-0.6.0.tar.gz
cd pam_pkcs11-0.6.0

then build pam_pkcs

./configure --prefix=/usr --exec-prefix=/usr
make
sudo make install
sudo ln -s /usr/lib/security/pam_pkcs11.so /lib/security/pam_pkcs11.so

you should end up with files in the following directories /usr/lib/pam_pkcs11 and /usr/share/pam_pkcs11 According to various docs, make install should create a directory structure at /etc/pam_pkcs11 but it doesn't seem to, so create the following

sudo mkdir /etc/pam_pkcs11
sudo mkdir /etc/pam_pkcs11/crls
sudo mkdir /etc/pam_pkcs11/cacerts
sudo cp /usr/share/pam_pkcs11/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf
sudo touch /etc/pam_pkcs11/subject_mapping

This will take care of the CAC Certs needed by your system:

wget --no-check-certificate https://airborne.nrl.navy.mil/PKI/AllDoDPKI.tar.gz
sudo mv AllDoDPKI.tar.gz /etc/pam_pkcs11/cacerts/
cd /etc/pam_pkcs11/cacerts/
sudo tar -zxvf AllDoDPKI.tar.gz
rm AllDoDPKI.tar.gz

This will take care of the Certificate Revocation Lists needed by your system:

wget --no-check-certificate https://crl.chamb.disa.mil/getcrlzip?ALL+CRL+ZIP
sudo unzip getcrlzip\?ALL+CRL+ZIP -d /etc/pam_pkcs11/crls
rm getcrlzip\?ALL+CRL+ZIP

Next, we will edit pam_pkcs11.conf to work properly with our system

sudo gedit /etc/pam_pkcs11/pam_pkcs11.conf

At roughly line 27 change the line that reads

use_pkcs11_module = opensc;

to be

use_pkcs11_module = coolkey;

at around line 72 or so add the following

# Coolkey Support
pkcs11_module coolkey {
module = /usr/lib/pkcs11/libcoolkeypk11.so 
description = "Coolkey";
slot_num = 0;
support_threads = false;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
cert_policy = ca;
}

Next scroll down until you see the line

use_mappers = digest, cn, pwent, uid, mail, subject, null;

and change it to

use_mappers = subject;

then save the file. At some point we'll figure out how to use the LDAP or other mappings - but the above will get you working for now. Next run the following command

pkcs11_inspect debug

and copy the line directly below "Printing data for mapper subject:", then run

sudo gedit /etc/pam_pkcs11/subject_mapping

and modify it so you have something like this

/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=your_cac_username -> local_username

Ok, we're almost done. Now edit /etc/pam.d/gdm and add the line "auth sufficient pam_pkcs11.so" to the top of the list so you have something like this

#%PAM-1.0
auth    sufficient      pam_pkcs11.so
auth    requisite       pam_nologin.so
auth    required        pam_env.so
@include common-auth
@include common-account
session required        pam_limits.so
@include common-session
@include common-password

Do the same for /etc/pam.d/gnome-screensaver

auth    sufficient      pam_pkcs11.so
@include common-auth

If you're feeling really adventurous you can add the line to the top of /etc/pam.d/common-auth and Ubuntu will try to use CAC authentication for everything including ssh, su, sudo, etc. Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. One thing to note. If you are using a Windows virtual machine under VMware Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable.

Lock Gnome Screensaver on Card Removal

The package pcsc-tools includes the tool pcsc_scan. This command line application will print the insertion and removal of a Smart Card to the stdout. Using this information, a script can be written to recognize this change. The following script requires the package inotify-tools.

#!bash
#!/bin/bash
if [ $(pidof pcsc_scan) ]; then 
echo pcsc_scan is running
else
pcsc_scan -n > ~/cardscan.txt &
fi
while inotifywait ~/cardscan.txt
do
tail -n 3 ~/cardscan.txt | grep "XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX"
if [ $? == 0 ]; then
echo unlocked
	gnome-screensaver-command -d
else
	tail -n 3 ~/cardscan.txt | grep removed
	if [ $? == 0 ]; then
		gnome-screensaver-command --lock -a
	fi
fi
done

After saving this script, you need to update line 13. Run pcsc_scan and look for the line that says "ATR: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX" on mine, it's the fourth line. The XX's will be unique to your card. Update the XX's in the script with your unique line. Make the script executable, and add it to System->Preferences->Startup Applications. This script will only unlock the screensaver if your CAC is inserted however, if you do not desire the unlock behavior, simply comment line 17: "gnome-screensaver-command -d".

References

Big thanks to [[7]] and his article [DoD CAC and smartcard Readers on Linux] Department of Defense PKI Management [[8]] Naval Research Laboratory DoD PKI Notes [[9]] and accompanying PDF [[10]]

Relevant Discussion Threads

• [[11]]
• [[12]]
• [[13]]
• [[14]]