Skip to content
forked from jdjaxon/linux_cac

A project for consistently configuring DOD Common Access Cards on Linux.

Notifications You must be signed in to change notification settings

choman/linux_cac

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

94 Commits
 
 
 
 
 
 

Repository files navigation

Linux CAC Configuration

A project for consistently configuring DOD CACs on Linux. Currently, this process will not work with Firefox if it is installed via snap. Before using this project, please review the Known Issues section.

Table of Contents

Click to Toggle Expansion
  1. Supported Configurations
  2. Installation
    1. Automated Installation
      1. Methods
    2. Manual Installation
      1. Staging
      2. Browser Configuration
        1. Google Chrome
        2. Firefox
  3. Known Issues
  4. Troubleshooting
    1. Microsoft Teams
  5. Resources

Supported Configurations

Regardless of how similar two distributions may be, I will only list distributions and versions here that I know have been tested with this method.

Distribution Versions Browsers
Ubuntu 20.04 LTS Firefox, Chrome
22.04 LTS Chrome
PopOS! 20.04 LTS Firefox, Chrome
22.04 LTS Firefox, Chrome

Installation

Please run either the Automated Installation or the Manual Installation, but not both.

Automated Installation

Click to Toggle Expansion


WARNING: Please make sure all browsers are closed before running the script.

If you choose this option, you do not need to do the manual installation.

This script requires root privileges since it installs the cackey package and its dependencies. Feel free to review the script here if this makes you uncomfortable. For transparency, the cackey package is downloaded from here and the DoD certificates are downloaded from here, both of which are recommended by militarycac.

Important Notes:

  • The automated installation requires wget and unzip to run and will install both during the setup, if they are not already installed. If you don't want either tool, remove it after the setup is complete using sudo apt remove <command>.
  • The scripted installation has only been tested on the configurations listed in the Supported Distributions
  • This script uses the 64-bit version of the cackey package.

Methods

  • wget
sudo bash -c "$(wget https://raw.githubusercontent.com/jdjaxon/linux_cac/main/cac_setup.sh -O -)"
  • curl
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/jdjaxon/linux_cac/main/cac_setup.sh)"
  • fetch
sudo bash -c "$(fetch -o https://raw.githubusercontent.com/jdjaxon/linux_cac/main/cac_setup.sh)"

Manual Installation

Click to Toggle Expansion


WARNING: Only perform these steps if you have not done the automated installation.

Staging

  1. Run the following command to install the CAC middleware:
sudo apt install libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools
  1. To verify that your CAC is detected, run (stop with ctrl+c):
pcsc_scan
  1. Download and install cackey from here.

  2. Run the following command to verify the location of the cackey module and make note of the location:

find / -name libcackey.so 2>/dev/null
  • NOTE: libcackey.so should be in one of the following locations:
/usr/lib/libcackey.so
        OR
/usr/lib64/libcackey.so
  1. If apt updates cackey from 7.5 to 7.10, it will move libcackey.so to a different location. To prevent cackey from updating, run the following:
sudo apt-mark hold cackey
  • NOTE: The cackey package will still show as upgradeable.
  1. Download DOD certs from DISA here.

  2. Unzip the AllCerts.zip folder using the following command:

unzip AllCerts.zip -d AllCerts

Browser Configuration


Google Chrome
  1. cd into the newly created AllCerts directory
  2. Run the following command:
for cert in *.cer; do certutil -d sql:"$HOME/.pki/nssdb" -A -t TC -n "$cert" -i "$cert"; done
  1. Run the following command:
printf "library=/usr/lib64/libcackey.so\nname=CAC Module" >> $HOME/.pki/nssdb/pkcs11.txt
Firefox
  1. cd into the AllCerts directory
  2. Run the following command:
for cert in *.cer; do certutil -d sql:"$(dirname "$(find "$HOME/.mozilla" -name "cert9.db")")" -A -t TC -n "$cert" -i "$cert"; done
  1. Run the following command:
printf "library=/usr/lib64/libcackey.so\nname=CAC Module" >> "$(dirname "$(find "$HOME/.mozilla" -name "cert9.db")")/pkcs11.txt"
  • NOTE: Since the firefox database directory starts with a random string of characters, it needs to be found dynamically. Its naming and location follows this convention: $HOME/.mozilla/firefox/<alpahnumeric string>.default-release.

Known Issues

  • Firefox and Chrome both need to be started at least once to initialize their respective certificate databases/profiles.

  • CAC needs to be inserted before starting Firefox.

  • Ubuntu 21.10 and greater (to include the latest LTS 22.04) have Firefox installed via snap by default. There is an outstanding bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1734371) that prevents the snap version of Firefox from being able to read the certificates. One solution could be to uninstall Firefox from snap and reinstall it via apt.

  • If you upgraded from 20.04 to 22.04 on either PopOS or Ubuntu, this likely also upgraded the cackey package from 7.5 to the latest version, which currently breaks this process. You can either rerun the script or run through step three through five of the manual installation.

  • If you run into any issues with firefox after running the script, clear your data and history in Privacy & Security and then restart firefox. If your troubles are with MS Teams, see the section for troubleshooting teams.

  • Firefox will likely start up a bit slower after running this installation.

Troubleshooting

Microsoft Teams

If you run into issues with MS Teams, try the following steps:

  1. In the Firefox Settings window, select the Privacy & Security tab.
  2. Under Cookies and Site Data, select Manage Exceptions.
  3. In the Address of website text box, enter the following URLs, and then select Allow.
    https://microsoft.com
    https://microsoftonline.com
    https://teams.skype.com
    https://teams.microsoft.com
    https://sfbassets.com
    https://skypeforbusiness.com
  1. Select Save Changes.
  • NOTE: strict security settings in Firefox may cause a loading loop

See the official documentation for this issue here.

Resources

About

A project for consistently configuring DOD Common Access Cards on Linux.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%