UbuntuHelp:CommonAccessCard
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
The Department of Defence DoD issues Common Access Cards (CAC) which are smart cards setup in a particular way. You can use these cards for Public Key Infrastructure (PKI) Authentication and signing/encrypting/verifying/decrypting email.
目录
Public Key Infrastructure (PKI) Authentication
Get a `pcscd`/ccid compatible smart card reader. Verified readers are
- SCM Micro SCR331
- http://www.cdw.com/shop/products/default.aspx?EDC=419432
- http://computers.pricegrabber.com/flash-memory-readers-accs/m/38231912/search=SCR331
- you must flash the reader to the latest firmware - [1]
- unless someone knows another way, this must be done from a windows machine
Install the Software
sudo apt-get install pcscd pcsc-tools libccid libpcsclite-dev
NOTE: libpcsclite-dev is only needed for Coolkey compililation since it's currently not a debian package. For Ubuntu Feisty recommend the following or you may get dependency errors when compiling Coolkey
sudo apt-get install libusb-0.1-4 libpcsclite1 libpcsclite-dev pcscd pcsc-tools build-essential autoconf xlibs-dev libccid
At this point you should be able to verify that your cac card is working by running `pcsc_scan`. It should output something like this.
PC/SC device scanner V 1.4.8 (c) 2001-2006, Ludovic Rousseau <[email protected]> Compiled with PC/SC lite version: 1.3.2 Scanning present readers 0: SCM SCR 331 (21120725209424) 00 00 Sat Sep 22 12:28:23 2007 Reader 0: SCM SCR 331 (21120725209424) 00 00 Card state: Card inserted, ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 ATR: 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 + TS = 3B --> Direct Convention + T0 = 6B, Y(1): 0110, K: 11 (historical bytes) TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 + Historical bytes: 80 65 B0 83 01 04 74 83 00 90 00 Category indicator byte: 80 (compact TLV data object) Tag: 6, len: 5 (pre-issuing data) Data: B0 83 01 04 74 Tag: 8, len: 3 (status indicator) LCS (life card cycle): 00 (No information given) SW: 9000 (Normal processing.) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 6B 00 00 80 65 B0 83 01 04 74 83 00 90 00 Gemplus GXP3 64V2N U.S. Department of Defense Common Access Card (DoD CAC)
Download and extract the latest stable version of CoolKey. (verified with 1.1.0) Once you've extracted the files to a folder open up a terminal and `cd` to that directory and run the following commands. NOTE: Coolkey is in the repository for Gutsy - [2]
sudo mkdir /usr/cac ./configure --prefix=/usr/cac make sudo make install
At this point your hardware and drivers are setup.
Configure Firefox
To setup Firefox to authenticate with sites via SSL/PKI, you must:
- download the DoD Certificates so that you can verify the server, and
- setup firefox to read your client certificates from your CAC card.
DoD Certificates
The DoD has created a hierarchy of certificates. The top level certificate signs the intermediate certificate and the intermediate certificate signs the site's certificate in most cases. If you import and trust the top most certificate, it saves you from having to install and trust a significantly higher number of certificates. I believe the hierarchy looks something like this
- ECA Root CA - See http://iase.disa.mil/pki/eca/
- DoD Root CA
- DoD CLASS 3 Root CA
- DoD CLASS 3 CA-X (1-
- DoD Root CA 2
- DoD CLASS 3 Root CA
I don't know what the classes represent. This hierarchy is probably not correct. The easiest way to install fairly high level certificates is to visit http://dodpki.c3pki.chamb.disa.mil/rootca.html and just click on each one to install.
Advanced Install
You may also download the certificates and install each one using the following procedure.
- Preferences Menu
- Advanced Section
- Encryption Tab
- View Certificates Button
- Authorities Tab
- Import Button
Places to download the certificates are:
- https://crl.chamb.disa.mil/
- https://eportal.ctnosc.army.mil/ (must have Army Knowledge Online [AKO] account)
Client Certificate Setup
- Insert CAC into reader - the green light should flash.
- Add `CAC Module` to Firefox as a Security Device
- Preferences Menu
- Advanced Section
- Encryption Tab
- Security Devices Button
- Load Button
- Enter `CAC Module` as the module name, and browse to `/usr/cac/lib/pkcs11/libcoolkeypk11.so` for the module filename.
Testing
You can test this easily by going to https://teamware.dt.navy.mil/ and clicking on ``New Account`` at the top. If it works, you should be prompted to enter your PIN and the site should say Your PKI Certificate has been detected.
Machine and Screensaver login with CAC
With a little work you can also use your CAC card to log into Ubuntu or un-screenlock. First you need some libraries...
sudo apt-get install libssl-dev libpam0g-dev
Then get the latest version of pam_pkcs11 from [3] Unzip/Untar the file somewhere and cd into the resulting directory. For example if you downloaded pam_pkcs11-0.6.0.tar.gz into /tmp
cd /tmp tar -zxvf pam_pkcs11-0.6.0.tar.gz cd pam_pkcs11-0.6.0
then build pam_pkcs
./configure --prefix=/usr --exec-prefix=/usr make sudo make install ln -s /usr/lib/security/pam_pkcs11.so /lib/security/pam_pkcs11.so
you should end up with files in the following directories /usr/lib/pam_pkcs11 and /usr/share/pam_pkcs11 According to various docs, make install should create a directory structure at /etc/pam_pkcs11 but it doesn't seem to, so create the following
sudo mkdir /etc/pam_pkcs11 sudo mkdir /etc/pam_pkcs11/crls sudo mkdir /etc/pam_pkcs11/cacerts sudo cp /usr/share/pam_pkcs11/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf sudo touch /etc/pam_pkcs11/subject_mapping
then edit /etc/pam_pkcs11/pam_pkcs11.conf At roughly line 27 change the line that reads
use_pkcs11_module = opensc;
to be
use_pkcs11_module = coolkey;
at around line 72 or so add the following
# Coolkey Support
pkcs11_module coolkey {
module = /usr/cac/lib/pkcs11/libcoolkeypk11.so
description = "Coolkey";
slot_num = 0;
support_threads = false;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
# cert_policy = ca, crl_offline,signature;
cert_policy = none;
}
The example above does not do any checking to see if the CAC card is still valid or is expired. Change cert_policy as appropriate to do validity checking. You'll also need to download and install the certificate authority certs into /etc/pam_pkcs11/cacerts and the certificate revocation lists into /etc/pam_pkcs11/crls Next scroll down until you see the line
use_mappers = digest, cn, pwent, uid, mail, subject, null;
and change it to
use_mappers = subject;
then save the file. At some point we'll figure out how to use the LDAP or other mappings - but the above will get you working for now. Next run the following command
pkcs11_inspect debug
and copy the line directly below "Printing data for mapper subject:" into /etc/pam_pkcs11/subject_mapping and modify it so you have something like this
/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=your_cac_username -> local_username
Ok, we're almost done. Now edit /etc/pam.d/gdm and add the line "auth sufficient pam_pkcs11.so" to the top of the list so you have something like this
#%PAM-1.0 auth sufficient pam_pkcs11.so auth requisite pam_nologin.so auth required pam_env.so @include common-auth @include common-account session required pam_limits.so @include common-session @include common-password
Do the same for /etc/pam.d/gnome-screensaver
auth sufficient pam_pkcs11.so @include common-auth
If you're feeling really adventurous you can add the line to the top of /etc/pam.d/common-auth and Ubuntu will try to use CAC authentication for everything including ssh, su, sudo, etc. Try rebooting and logging in with your CAC card. At the username prompt in Feisty I had to just hit enter, then it asked me for my CAC PIN. When un-screenlocking, it works best if you insert the CAC card into the reader before you hit a key or move the mouse to get the unlock authentication prompt. One thing to note. If you are using a Windows virtual machine under VMware Player or Server with CAC authentication in the virtual machine - the virtual machine will tie up the reader so Ubuntu can't get access to it. You'll get errors like token unavailable.
References
Big thanks to symbolik and his aricle Using DoD CAC and smartcard Readers on Linux
