Using a DoD CAC with Ubuntu and Firefox
by adam on Nov.21, 2008, under computers, security, website
Setting up a new workstation with Ubuntu and Firefox to use a DoD CAC is suprisingly easy.
These instructions work for Ubuntu 8.10 on my hardware. My card reader is built into a USB Dell Keyboard. It takes only a couple of steps to enable it for use in Firefox.
- Install libccid (which requires pcscd as a dependency)
- Install coolkey
- Tell Firefox to use coolkey’s pkcs11 library
- Profit!
To cover these steps in more detail:
- Install libccid and pcscd. (`apt-get install libccid`) libccid and pcscd are the hardware drivers for USB cardreaders and smartcard support libraries for Ubuntu. With these alone installed, the ‘light’ on the smart card reader should illuminate, showing that it recognizes that a card is inserted.
- Install RedHat’s PKCS11 SmartCard library coolkey (`apt-get install coolkey`). This provides a PKCS11 compliant interface between smartcards and applications that support PKCS11 certificates, such as Firefox/Thunderbird.
- Tell Firefox to utilize the coolkey PKCS11 library:
- In Firefox, go to Edit -> Preferences -> Advanced -> Security Devices and click ‘Load’.
- In the Module Name field, type “DoD CAC“
- In the Module Filename field type or select “/usr/lib/pkcs11/libcoolkeypk11.so”
- Select ‘OK’, and confirm that you would like to install the module.
- Click ‘OK’ to acknowledge that the module has been loaded. If you receive an error that the module could not be loaded, exit and restart Firefox, and make sure your card reader light was on.
- This returns you to the Security Devices dialog. Click ‘LOGIN’ in the upper right corner, and enter your CAC PIN. And that’s it!
- Now that you’ve got the CAC enabled and recognized in Firefox, you can login to sites requiring it. A dialog box prompts you to select the proper certificate and enter your PIN each time. That’s all there is to it!
16 Comments for this entry
1 Trackback or Pingback for this entry
-
Morning Security Brief - the land of dookie
November 24th, 2008 on 8:21 am[...] in Security Gmail CSRF Proof of Concept – via Geek Condition Using Smartcards with Linux – via HR Geeks SUMO Linux: Multiple Security Distros on 1 DVD – via Dr. InfoSec Tags: [...]
November 22nd, 2008 on 5:12 am
Awesome site, I am going to read more of your posts soon.
December 29th, 2008 on 1:58 pm
This looks great! However, an ActivClient alternative for Windows would be good since there is lots of CAC stuff like NMCI Webmail (Outlook Web Access) that works best with IE. Air Force and Army users have the luxury of having an easily downloadable service-wide license for ActivClient, but NMCI users do not have that. However, CoolKey has been packaged for Windows but from what I have read installation and set-up is not as straightforward as it should be.
December 29th, 2008 on 2:36 pm
Why would you need an ActiveClient alternative for Windows? If you’re on Windows, simply use the provided ActiveClient.
There was no provided Linux solution to use OWA and access PKI protected sites. OWA works just fine in FireFox 3….I use it every day
April 13th, 2009 on 6:04 am
What about the email cert? There is two certs on the DoD CAC card.
April 20th, 2009 on 11:13 pm
What about it? Just pick the appropriate cert when firefox prompts you…
April 30th, 2009 on 9:37 pm
This works great to a point, I am able to log in and get to my emails. Is there a way to add s/mime support to be able to send digitally signed and encrypted emails?
September 23rd, 2009 on 12:02 pm
Excellent article, really.
September 24th, 2009 on 6:10 pm
I tried getting this to work in 9.04 but wasn’t able to. Any thoughts? I’m going to play more with other readers to see if that’s the problem.
September 24th, 2009 on 6:18 pm
@Aaron – What problem are you having? I’ve updated to 9.04, and everything still works for me? I have not tried doing this from scratch on 9.04 yet, however. Are packages missing? Does ubuntu see your reader?
October 2nd, 2009 on 12:40 pm
Some readers do give Linux fits. There are several chipsets to avoid, if you can. Broadcom comes to mind right away. Depending on how it’s installed, ‘lspci’ or ‘lsusb’ could give you the info you need.
Per my inside @ ActivIdentity, SCM Microsystems SC readers are about the most reliable ones you can get. I found a SCR3310 for less than $20 shipped in the US.
I haven’t been able to get my reader to work on Ubuntu, but this reader is known to work with Linux so I don’t have any doubts that this is a user problem at this point; getting it to work in RedHat/CentOS is literally just a few clicks.
There’s my 37 cents.
November 1st, 2009 on 1:32 am
I am also looking for the s/mime capability. Is there a way to add s/mime support to be able to send digitally signed and encrypted emails?
November 2nd, 2009 on 2:19 pm
I’ve been trying to get mine to work on both 9.04 and 9.10 Xbuntu. I can get the card to show with pcsc_scan. When I load the module though, all I see is:
Status: Not present
Description: SCM SCR 331 (40106B7D) 00 00
Manufacturer: Unknown
HW Version: 255.255
FW Version: 0.0
I have tried with two other readers (SCM SCR 3310 and HP Smart keyboard) and all that changes is the description. I have tried on fresh installs of both 9.04 and 9.10 Ubuntu/Xbuntu and same result.
If anyone has an idea of what is wrong I would appreciate any help they can give.
-Aaron
November 23rd, 2009 on 9:11 am
I can install the library, but when I go to add it as a security module for firefox, it tells me, “Unable to add module.” Any thoughts as to what would stop it?
–Marcus
November 30th, 2009 on 10:42 pm
Same problem with Firefox security Module. “Unable to add module.” Using Ubuntu 9.10 Desktop
December 15th, 2009 on 11:46 pm
Thanks so much for a great tutorial! I the Air Force portal wasn’t recognizing the certs, but a Firefox restart fixed that.
January 30th, 2010 on 8:42 pm
A partial work-around to reading your encrypted emails is to login using OWA and forward the entire message (with attachment) to a gmail account. Then you can use the Gmail S/MIME add-on and decode the message. Not touting this as being a good idea, just a possibility. I just wish the authors of this add-on were able to adapt it to OWA somehow.