Using a DoD CAC with Ubuntu and Firefox
by adam on Nov.21, 2008, under computers, security, website
Setting up a new workstation with Ubuntu and Firefox to use a DoD CAC is suprisingly easy.
These instructions work for Ubuntu 8.10 on my hardware. My card reader is built into a USB Dell Keyboard. It takes only a couple of steps to enable it for use in Firefox.
- Install libccid (which requires pcscd as a dependency)
- Install coolkey
- Tell Firefox to use coolkey’s pkcs11 library
- Profit!
To cover these steps in more detail:
- Install libccid and pcscd. (`apt-get install libccid`) libccid and pcscd are the hardware drivers for USB cardreaders and smartcard support libraries for Ubuntu. With these alone installed, the ‘light’ on the smart card reader should illuminate, showing that it recognizes that a card is inserted.
- Install RedHat’s PKCS11 SmartCard library coolkey (`apt-get install coolkey`). This provides a PKCS11 compliant interface between smartcards and applications that support PKCS11 certificates, such as Firefox/Thunderbird.
- Tell Firefox to utilize the coolkey PKCS11 library:
- In Firefox, go to Edit -> Preferences -> Advanced -> Security Devices and click ‘Load’.
- In the Module Name field, type “DoD CAC“
- In the Module Filename field type or select “/usr/lib/pkcs11/libcoolkeypk11.so”
or “/usr/lib64/pkcs11/libcoolkeypk11.so” if you’re on 64bit systems
- Select ‘OK’, and confirm that you would like to install the module.
- Click ‘OK’ to acknowledge that the module has been loaded. If you receive an error that the module could not be loaded, exit and restart Firefox, and make sure your card reader light was on.
- This returns you to the Security Devices dialog. Click ‘LOGIN’ in the upper right corner, and enter your CAC PIN. And that’s it!
- Now that you’ve got the CAC enabled and recognized in Firefox, you can login to sites requiring it. A dialog box prompts you to select the proper certificate and enter your PIN each time. That’s all there is to it!
29 Comments for this entry
1 Trackback or Pingback for this entry
-
Morning Security Brief - the land of dookie
November 24th, 2008 on 8:21 am[...] in Security Gmail CSRF Proof of Concept – via Geek Condition Using Smartcards with Linux – via HR Geeks SUMO Linux: Multiple Security Distros on 1 DVD – via Dr. InfoSec Tags: [...]
Leave a Reply
-
Welcome to HR Geeks!
We're a group of (mostly) Hampton Roads based technology enthuisiasts. Our members take part of many different groups, from 757 Labs to TWUUG to sitting at home watching TV.
Our goal with HRGeeks.com is to be a sort of 'clearing house' of all technology related goings-on in Hampton Roads, as well as a home for collaboration and discussion between area geeks.
Check out our our Friends for a full listing of available technology groups in Hampton Roads.
-
Email / iCal Subscriptions
Stay updated on meetings and activities via email or iCal!
November 22nd, 2008 on 5:12 am
Awesome site, I am going to read more of your posts soon.
December 29th, 2008 on 1:58 pm
This looks great! However, an ActivClient alternative for Windows would be good since there is lots of CAC stuff like NMCI Webmail (Outlook Web Access) that works best with IE. Air Force and Army users have the luxury of having an easily downloadable service-wide license for ActivClient, but NMCI users do not have that. However, CoolKey has been packaged for Windows but from what I have read installation and set-up is not as straightforward as it should be.
December 29th, 2008 on 2:36 pm
Why would you need an ActiveClient alternative for Windows? If you’re on Windows, simply use the provided ActiveClient.
There was no provided Linux solution to use OWA and access PKI protected sites. OWA works just fine in FireFox 3….I use it every day
April 13th, 2009 on 6:04 am
What about the email cert? There is two certs on the DoD CAC card.
April 20th, 2009 on 11:13 pm
What about it? Just pick the appropriate cert when firefox prompts you…
April 30th, 2009 on 9:37 pm
This works great to a point, I am able to log in and get to my emails. Is there a way to add s/mime support to be able to send digitally signed and encrypted emails?
September 23rd, 2009 on 12:02 pm
Excellent article, really.
September 24th, 2009 on 6:10 pm
I tried getting this to work in 9.04 but wasn’t able to. Any thoughts? I’m going to play more with other readers to see if that’s the problem.
September 24th, 2009 on 6:18 pm
@Aaron – What problem are you having? I’ve updated to 9.04, and everything still works for me? I have not tried doing this from scratch on 9.04 yet, however. Are packages missing? Does ubuntu see your reader?
October 2nd, 2009 on 12:40 pm
Some readers do give Linux fits. There are several chipsets to avoid, if you can. Broadcom comes to mind right away. Depending on how it’s installed, ‘lspci’ or ‘lsusb’ could give you the info you need.
Per my inside @ ActivIdentity, SCM Microsystems SC readers are about the most reliable ones you can get. I found a SCR3310 for less than $20 shipped in the US.
I haven’t been able to get my reader to work on Ubuntu, but this reader is known to work with Linux so I don’t have any doubts that this is a user problem at this point; getting it to work in RedHat/CentOS is literally just a few clicks.
There’s my 37 cents.
November 1st, 2009 on 1:32 am
I am also looking for the s/mime capability. Is there a way to add s/mime support to be able to send digitally signed and encrypted emails?
November 2nd, 2009 on 2:19 pm
I’ve been trying to get mine to work on both 9.04 and 9.10 Xbuntu. I can get the card to show with pcsc_scan. When I load the module though, all I see is:
Status: Not present
Description: SCM SCR 331 (40106B7D) 00 00
Manufacturer: Unknown
HW Version: 255.255
FW Version: 0.0
I have tried with two other readers (SCM SCR 3310 and HP Smart keyboard) and all that changes is the description. I have tried on fresh installs of both 9.04 and 9.10 Ubuntu/Xbuntu and same result.
If anyone has an idea of what is wrong I would appreciate any help they can give.
-Aaron
November 23rd, 2009 on 9:11 am
I can install the library, but when I go to add it as a security module for firefox, it tells me, “Unable to add module.” Any thoughts as to what would stop it?
–Marcus
November 30th, 2009 on 10:42 pm
Same problem with Firefox security Module. “Unable to add module.” Using Ubuntu 9.10 Desktop
December 15th, 2009 on 11:46 pm
Thanks so much for a great tutorial! I the Air Force portal wasn’t recognizing the certs, but a Firefox restart fixed that.
January 30th, 2010 on 8:42 pm
A partial work-around to reading your encrypted emails is to login using OWA and forward the entire message (with attachment) to a gmail account. Then you can use the Gmail S/MIME add-on and decode the message. Not touting this as being a good idea, just a possibility. I just wish the authors of this add-on were able to adapt it to OWA somehow.
June 7th, 2010 on 9:33 pm
Thanks for the article, this works straightaway with Ubuntu 10.4 and Firefox 3.6.3.
August 3rd, 2010 on 1:03 pm
This worked in Ubuntu 10.04 also. Flawlessly, I might add. Thank you very, very much.
September 13th, 2010 on 9:52 pm
@edisonbaggins
It was working for me in Gentoo until I got my new CAC week before last. How new is yours?
October 11th, 2010 on 10:33 pm
This is was great easy to use instructions I fired it up the first time after downloading all I needed from synaptic it was pretty easy to follow the instructions and works great in lucid ubuntu 10.4
November 14th, 2010 on 7:11 am
I got this to work with Ubuntu 10.10 using a dell keyboard card reader. The only issue i am having is getting it to read all of my certificates. Right now it will only read my ID certificate.
December 11th, 2010 on 11:20 pm
This worked perfect in Linux Mint 10. I also found a dod CAC Plug in on militarycac.com
January 11th, 2011 on 9:20 pm
I can go to the AF Portal, but sites such as OWA .. the cert selection doesn’t show up as it does on the portal. I’m assuming my owa is picking the wrong cert. Any ideas?
June 25th, 2011 on 5:43 pm
Thanks for the great information. Some of the other instructions out on the net seemed a little more complicated — these are simple and work. No problems using these instructions w/ Ubuntu 10.04 LTS and an SCR3310 reader. I can access all AF and OWA sites without issue.
August 5th, 2011 on 3:15 pm
Thanks, worked like a charm on RHEL6 64bit.
Only it was “/usr/lib64/pkcs11/libcoolkeypk11.so”
October 4th, 2011 on 2:43 pm
Just verifying that this DID work for me. Ubuntu 11.04 64 bit. As noted by @cdated, use ““/usr/lib64/pkcs11/libcoolkeypk11.so” if you’re running 64 bit.
October 4th, 2011 on 2:45 pm
You hippy kids and your 64bit.
Back in my day…:)
Thanks for the verification!
November 7th, 2011 on 12:26 pm
I’m using Ubuntu 11.10 and I have everything up and running with the card readable using pcsc_scan. The only problem I’m experiencing is with the card in the reader, firefox will not open and if it is open and the card is inserted it firefox will crash. Using Firefox 7.0.1 on Ubuntu 11.10. Any help would be greatly appreciated.
November 18th, 2011 on 6:29 pm
I had the same problem with Firefox 7.0.1+ and CoolKey. The way to fix it is to somehow get a CAC working (I used a VM and the Lightweight Portable Security distro: http://www.spi.dod.mil/lipose.htm ) and download libCacKey from forge.mil (forge.mil requires CAC authentication, dumb huh?). Libcackey worked great once I got it.
Good Luck!!