On 02/07/2011 02:33 PM, guy zelck wrote:
On my systems where it doesn't work (Opensuse 11.3 and Fedora 14) I see a frantically flickering led on the key. What is it communicating when normaly it should come ask for the PIN? On the Fedora14 system I kept the stock packages,
Here is what I did, long time back to get it working in Fedora
Setting up CAC card usage on Fedora (32 & 64 bit) Generic <smartcart> RedHat guide : http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Deployment_Guide/sso-sc-config.html AKO CAC Setup guide <Windows> : https%3A%2F%2Fwww.us.army.mil%2Fsuite%2Ffolder%2F10619395&id=6032445&links=CAC,SETUP&q=%2528%2522CAC%2Bsetup%2522%2529%26SecurityInfo%3DNzZ82harp82RIdTGzjrAUwrQKOLFpi1Ok7YzDnnaZroLCgpzHxrr%2FeQlHsdUEWnfF9hzmXsj%2FJUGMReyAF%2F0YfnoyaTvib5NQOXHclTMIg%3D%3D <This might be un-necessary, all of these packages came pre-installed on my Fedora, yum install with update these pkgs if already installed, so cant hurt> su # For 64 bit yum install nss-tools.x86_64 pam_pkcs11.x86_64 coolkey.x86_64 ifd-egate.x86_64 authconfig.x86_64 authconfig-gtk.x86_64 esc.x86_64 ccid.x86_64 gdm.x86_64 fprintd-pam.x86_64 pcsc-lite.x86_64 pcsc-tools.x86_64 pcsc-lite-libs.x86_64 # OR For 32 bit yum install nss-tools.i586 pam_pkcs11.i586 coolkey.i586 ifd-egate.i586 authconfig.i586 authconfig-gtk.i586 esc.i586 ccid.i586 gdm.i586 fprintd-pam.i586 pcsc-lite.i586 pcsc-tools.i586 # restart the pcscd demon: sudo /etc/init.d/pcscd restart # List the USB devices lsusb <snip> Bus 002 Device 003: ID 04e6:5116 SCM Microsystems, Inc. SCR331-LC1 SmartCard Reader <snip> # Start the openct deamon /etc/init.d/openct start # look for card readers openct-tool list # Dump the contents of the card openct-tool -r 1 atr [root@476114-mitll abentley]# openct-tool -r 1 atr Detected CCID Compatible Card not present <THIS IS BAD - Card needs to be initialized> failed to reset card Download DoD Root Certs : browse to; https://crl.gds.disa.mil/ Click on DOD CA-24, hit "submit" button right click on the "Download' link, save as, save to somewhere on your local computer. i.e. /home/your_user_name/DoDCACerts Do the same for DODCA_13.cer through DODCA_24.cer <some CAs have been retired, so some CA Certs might not be available, thats ok> Read : http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html Do this to see if a cert Database exists on your machine already certutil -L -d /etc/pki/nssdb <Should get created when nss gets installed> sudo certutil -A -d /etc/pki/nssdb -n "dod root ca2 cert" -t "CT,C,C" -i ./DoDRootCA2.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca11 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_11.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca12 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_12.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca13 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_13.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca14 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_14.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca15 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_15.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca16 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_16.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca17 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_17.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca18 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_18.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca19 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_19.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca20 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_20.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca21 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_21.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca22 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_22.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca23 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_23.cer sudo certutil -A -d /etc/pki/nssdb -n "dod ca24 cert" -c "dod root ca2 cert" -t "CT,C,C" -i ./DODCA_24.cer #Enable Smart Card Login Support 1. On the Gnome Title Bar, select System->Administration->Authentication. 2. Type your machine's root password if necessary. 3. In the Authentication Configuration dialog, click the Authentication tab. 4. Select the Enable Smart Card Support check box. 5. Click the Configure Smart Card... button to display the Smartcard Settings dialog, and specify the required settings: * Require smart card for login â?? Clear this check box. After you have successfully logged in with the smart card you can select this option to prevent users from logging in without a smart card. * Card Removal Action â?? This controls what happens when you remove the smart card after you have logged in. The available options are: o Lock â?? Removing the smart card locks the X screen. <Advisable, but be carefull....> o Ignore â?? Removing the smart card has no effect. # If you need to enable the Online Certificate Status Protocol (OCSP), open the /etc/pam_pkcs11/pam_pkcs11.conf file, and locate the following line: enable_ocsp = false; Change this value to true, as follows: enable_ocsp = true; # Plug your reader into your computer & plug your card into the reader pcsc_scan #should list your card reader PC/SC device scanner V 1.4.15 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@xxxxxxx> Compiled with PC/SC lite version: 1.5.2 Scanning present readers... 0: SCM SCR 3310 00 00 Tue Mar 23 09:47:17 2010 Reader 0: SCM SCR 3310 00 00 Card state: Card inserted, ATR: HEX Numbers.................. ATR: HEX Numbers.................. + TS = 3B --> Direct Convention + T0 = 7D, Y(1): 0111, K: 13 (historical bytes) TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU 250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = 00 --> Extra guard time: 0 + Historical bytes: HEX Numbers.................. Category indicator byte: 80 (compact TLV data object) Tag: 3, len: 1 (card service data byte) Card service data byte: 80 - Application selection: by full DF name - EF.DIR and EF.ATR access services: by GET RECORD(s) command - Card with MF Tag: 6, len: 5 (pre-issuing data) Data: B0 83 11 17 D6 Tag: 8, len: 3 (status indicator) LCS (life card cycle): 00 (No information given) SW: 9000 (Normal processing.) #Determine what device your USB CAC is on sudo dmesg > ~/dmesg.txt vi ~/dmesg.txt / # Mount the USB reader sudo mkdir /mnt/cac sudo mount -t usbfs /dev/sr0 /mnt/cac #Write the following line into /etc/fstab to make it permanent usbfs /mnt/cac usbfs auto 0 0 #Bring up thr CAC manager App - to open the CAC system_memnu->Applications->System Tools->Smart Card Manager enroll # Enable Thuderbird to use the CAC Card #Add CAC Module to Thuderbird as a Security Device 0. sudo /opt/dev_tools/thunderbird/thunderbird 1. Preferences Menu 2. Advanced Section 3. Encryption Tab 4. Security Devices Button 5. Load Button 6. Enter CAC Module as the module name, and browse to /usr/lib64/pkcs11/libcoolkeypk11.so for the module filename. <or /usr/lib/pkcs11/libcoolkeypk11.so for 32 bit> # Enable Firefox to use the CAC Card https://help.ubuntu.com/community/CommonAccessCard #Add CAC Module to Firefox as a Security Device 0. sudo /opt/dev_tools/firefox_3_5_6/firefox 1. Preferences Menu 2. Advanced Section 3. Encryption Tab 4. Security Devices Button 5. Load Button 6. Enter CAC Module as the module name, and browse to /usr/lib/pkcs11/libcoolkeypk11.so for the module filename. seems to only work with 32 bit libcoolkey OR go here https://software.forge.mil/sf/projects/community_cac # Enroll your smart card # If you are using a CAC card, you also need to perform the following steps: 1. Change to the root account and create a file called /etc/pam_pkcs11/cn_map. 2. Add the following entry to the cn_map file: MY.CAC_CN.123454 -> myloginid where MY.CAC_CN.123454 is the Common Name on your CAC and myloginid is your UNIX login ID. # Logout sudo umount /mnt/cac
_______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel