“UbuntuHelp:CommonAccessCard”的版本间的差异

2007年11月30日 (五) 16:29的版本

文章出处:

https://help.ubuntu.com/community/CommonAccessCard

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

The Department of Defence DoD issues Common Access Cards (CAC) which are smart cards setup in a particular way. You can use these cards for Public Key Infrastructure (PKI) Authentication and signing/encrypting/verifying/decrypting email.

Public Key Infrastructure (PKI) Authentication

Get a `pcscd`/ccid compatible smart card reader. Verified readers are

• SCM Micro SCR331
  • http://www.cdw.com/shop/products/default.aspx?EDC=419432
  • http://computers.pricegrabber.com/flash-memory-readers-accs/m/38231912/search=SCR331
  • you must flash the reader to the latest firmware - [1]
    • unless someone knows another way, this must be done from a windows machine

Install the Software

sudo apt-get install pcscd pcsc-tools libccid libpcsclite-dev

NOTE: libpcsclite-dev is only needed for Coolkey compililation since it's currently not a debian package. For Ubuntu Feisty recommend the following or you may get dependency errors when compiling Coolkey

sudo apt-get install libusb-0.1-4 libpcsclite1 libpcsclite-dev pcscd pcsc-tools build-essential autoconf xlibs-dev libccid

At this point you should be able to verify that your cac card is working by running `pcsc_scan`. It should output something like this.

PC/SC device scanner
V 1.4.8 (c) 2001-2006, Ludovic Rousseau <[email protected]>
Compiled with PC/SC lite version: 1.3.2
Scanning present readers
0: SCM SCR 331 (21120725209424) 00 00
Sat Sep 22 12:28:23 2007
Reader 0: SCM SCR 331 (21120725209424) 00 00
Card state: Card inserted,
ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00
ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00
+ TS = 3B --> Direct Convention
+ T0 = 6B, Y(1): 0110, K: 11 (historical bytes)
TB(1) = 00 --> VPP is not electrically connected
TC(1) = 00 --> Extra guard time: 0
+ Historical bytes: 80 65 B0 83 01 04 74 83 00 90 00
[[category:Category]] indicator byte: 80 (compact TLV data object)
Tag: 6, len: 5 (pre-issuing data)
Data: B0 83 01 04 74
Tag: 8, len: 3 (status indicator)
LCS (life card cycle): 00 (No information given)
SW: 9000 (Normal processing.)
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00
Gemplus GXP3 64V2N
U.S. Department of Defense Common Access Card (DoD CAC)

Download and extract the latest stable version of CoolKey. (verified with 1.1.0) Once you've extracted the files to a folder open up a terminal and `cd` to that directory and run the following commands. NOTE: Coolkey is in the repository for Gutsy - [2]

sudo mkdir /usr/cac
./configure --prefix=/usr/cac
make
sudo make install

At this point your hardware and drivers are setup.

Configure Firefox

To setup Firefox to authenticate with sites via SSL/PKI, you must:

• download the DoD Certificates so that you can verify the server, and
• setup firefox to read your client certificates from your CAC card.

DoD Certificates

The DoD has created a hierarchy of certificates. The top level certificate signs the intermediate certificate and the intermediate certificate signs the site's certificate in most cases. If you import and trust the top most certificate, it saves you from having to install and trust a significantly higher number of certificates. I believe the hierarchy looks something like this

• ECA Root CA - See http://iase.disa.mil/pki/eca/
• DoD Root CA
  • DoD CLASS 3 Root CA
    • DoD CLASS 3 CA-X (1-
  • DoD Root CA 2

I don't know what the classes represent. This hierarchy is probably not correct. The easiest way to install fairly high level certificates is to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install.

Advanced Install

You may also download the certificates and install each one using the following procedure.

1. Preferences Menu
2. Advanced Section
3. Encryption Tab
4. View Certificates Button
5. Authorities Tab
6. Import Button

Places to download the certificates are:

• https://crl.chamb.disa.mil/
• https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account)

Client Certificate Setup

1. Insert CAC into reader - the green light should flash.
2. Add `CAC Module` to Firefox as a Security Device
   1. Preferences Menu
   2. Advanced Section
   3. Encryption Tab
   4. Security Devices Button
   5. Load Button
   6. Enter `CAC Module` as the module name, and browse to `/usr/cac/lib/pkcs11/libcoolkeypk11.so` for the module filename.

Testing

You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say Your PKI Certificate has been detected.

Machine and Screensaver login with CAC

With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. First you need some libraries...

sudo apt-get install libssl-dev libpam0g-dev

Then get the latest version of pam_pkcs11 from [3] Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded pam_pkcs11-0.6.0.tar.gz into /tmp

cd /tmp
tar -zxvf pam_pkcs11-0.6.0.tar.gz
cd pam_pkcs11-0.6.0

then build pam_pkcs

./configure --prefix=/usr --exec-prefix=/usr
make
sudo make install
ln -s /usr/lib/security/pam_pkcs11.so /lib/security/pam_pkcs11.so

you should end up with files in the following directories /usr/lib/pam_pkcs11 and /usr/share/pam_pkcs11 According to various docs, make install should create a directory structure at /etc/pam_pkcs11 but it doesn't seem to, so create the following

sudo mkdir /etc/pam_pkcs11
sudo mkdir /etc/pam_pkcs11/crls
sudo mkdir /etc/pam_pkcs11/cacerts
sudo cp /usr/share/pam_pkcs11/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf
sudo touch /etc/pam_pkcs11/subject_mapping

then edit /etc/pam_pkcs11/pam_pkcs11.conf At roughly line 27 change the line that reads

use_pkcs11_module = opensc;

to be

use_pkcs11_module = coolkey;

at around line 72 or so add the following

# Coolkey Support
pkcs11_module coolkey {
module = /usr/cac/lib/pkcs11/libcoolkeypk11.so 
description = "Coolkey";
slot_num = 0;
support_threads = false;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
#  cert_policy = ca, crl_offline,signature;
cert_policy = none;
}

The example above does not do any checking to see if the CAC card is still valid or is expired. Change cert_policy as appropriate to do validity checking. You'll also need to download and install the certificate authority certs into /etc/pam_pkcs11/cacerts and the certificate revocation lists into /etc/pam_pkcs11/crls Next scroll down until you see the line

use_mappers = digest, cn, pwent, uid, mail, subject, null;

and change it to

use_mappers = subject;

then save the file. At some point we'll figure out how to use the LDAP or other mappings - but the above will get you working for now. Next run the following command

pkcs11_inspect debug

and copy the line directly below "Printing data for mapper subject:" into /etc/pam_pkcs11/subject_mapping and modify it so you have something like this

/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=your_cac_username -> local_username

Ok, we're almost done. Now edit /etc/pam.d/gdm and add the line "auth sufficient pam_pkcs11.so" to the top of the list so you have something like this

#%PAM-1.0
auth    sufficient      pam_pkcs11.so
auth    requisite       pam_nologin.so
auth    required        pam_env.so
@include common-auth
@include common-account
session required        pam_limits.so
@include common-session
@include common-password

Do the same for /etc/pam.d/gnome-screensaver

auth    sufficient      pam_pkcs11.so
@include common-auth

If you're feeling really adventurous you can add the line to the top of /etc/pam.d/common-auth and Ubuntu will try to use CAC authentication for everything including ssh, su, sudo, etc. Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. One thing to note. If you are using a Windows virtual machine under VMware Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable.

References

Big thanks to symbolik and his aricle Using DoD CAC and smartcard Readers on Linux

Relevant Discussion Threads

• [4]
• [5]
• [6]