Posted by: reformedmusings | January 9, 2010

Using a DoD CAC in Firefox under Linux

The U.S. Department of Defense relies on Common Access Cards (CAC) as an integral part of authenticating users on DoD computer systems. At first, that eliminated the possibility of doing useful work from home. However, USB smart care readers are now inexpensive and widely available. Plus there are a number of efforts to enable folks at home to access the DoD systems. Unfortunately until recently, they all centered on Windows and Internet Explorer. That has changed, bringing Firefox and Linux into the fold.

The DoD has an open source site to give DoD-specific efforts a place to exchange ideas and work. The CAC effort lives here, but ironically, you need CAC access to get there. You can download the files you need at work, then email them home. Files reside there that will enable Firefox to access CAC-required sites, a CAC-enabled password safe, and a program to enable sudo through your CAC rather than a password.

First, you need to install some packages into Ubuntu. Copy and paste this line into a terminal:

sudo apt-get install coolkey pcscd pcsc-tools

You can also use Synaptic or the Ubuntu Software Center to install the packages. After installation, you should check to see that the system recognizes your smart card reader. Again from a terminal, run:

pcsc_scan

You should see an output like:

PC/SC device scanner
V 1.4.15 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.4.102
Scanning present readers…
0: SCM SCR 3310 00 00

Sat Jan  9 21:43:11 2010
Reader 0: SCM SCR 3310 00 00
Card state: Card removed,

You’ll have to hit CTRL-C to exit the scan. This output shows a SCM SCR 331o present. If your reader isn’t found, run lsusb in a terminal to see if the system even sees the device. If it does, you may need to update your reader’s firmware. If not, try another USB port. If you insert your CAC, the scan will provide information from your CAC.

The easy way to enable Firefox CAC access uses an add-on written by Neil McNab. You can download the add-on from the DoD SoftwareForge site. It used to be on the Mozilla add-on site as well, but I don’t see it there now. You can also download DoD Configuration version 1.0.3 here. As I write this, there’s a beta for 1.0.4 on the DoD SourceForge which seems to work fine, but better to stick with the stable release for now. I’ll update the link and this post to 1.0.4 when it goes final.

When you install the DoD Configuration add-on, it will offer to download the appropriate root certificates. Allow it to do so and follow the instructions it provides. That’s it, you’re done. Skip to the bottom of the post.

The harder way to get Firefox to recognize your smart card reader is to download the certificates and set the reader up manually. You can download the DoD root certificates here. Just click on the links in that page and the certificates will install automatically.

Now we need to tell Firefox about your reader. Insert your CAC into the card reader. The green light on the reader should flash as the card is read. Open Firefox and on the menu bar go to Edit -> Preferences. Click on the Advanced tab, then on Security Devices. Click on the Load… button. In the next dialog window, you must type in a device name and module filename. I used CAC Module for the device name. The module filename is /usr/lib/pkcs11/libcoolkeypk11.so in Ubuntu. The file location may vary in other Linux distributions. Click OK.

Your personal certificate (i.e., your name and associated certificate number) should now appear under the CAC Module entry on the left side of the window. To check the installation, click on the Log In button and type in your PIN or password. The dialog will ask for your master password, but that’s your PIN if you have one. The status should now change to Logged In in the details window. You’re off and running!

You can test the overall setup by accessing a CAC-enabled site. The DoD SoftwareForge CAC site is a good start. The only problem that I’ve had is with the Defense Connect Online site. I’ve had difficulties there because it uses Java for authentication, which is a poor practice. I’ve been looking for a straightforward way to get Java to recognize the card reader and root certificates in Linux. Everything I’ve found so far is convoluted and must be reaccomplished after each Java update.

After this setup, I’ve had no problems on any DoD site except for DCO. Enjoy!

Advertisements

Responses

  1. […] In this previous post from last year, I talked about how to use a DoD Common Access Card with Firefox under Ubuntu Linux. That post is still accurate if you have an older pre-144K CAC. However, if you have a new 144K CAC, coolkey will not work for you. I found that out the hard way two nights ago. Providentially, though, Roy Keene over at SoftwareForge (need a CAC to access) also found the problem and devised a solution: cackey. […]


Categories

%d bloggers like this: