linux_cac
linux_cac copied to clipboard
jdjaxon
How to uninstall?
I am on the latest Mint (21.2), but it should mimic Ubuntu versions of most packages except for snap which it does not install. Long story short, I had CAC auth working okay with Chrome prior for many years with cackey 0.7.11, but decided to give this script a try so I could get Firefox running and working with my CAC. Running this, everything seemed to install just fine (no errors), but now my smart card reader (the very popular SCR3500) seems to flash 3 consecutive red lights indefinitely and hangs on any interaction with the CAC. When you plug it in with no browser open, it will not flash any lights, but as soon as you open FF or Chrome, it will start doing that 3 light pattern and no CAC enabled site will work; rather, it seems to just hang until you take the CAC out, at which point obviously any validation will fail.
Since I have no idea how to even begin troubleshooting this, is there any way to uninstall this? I'd like to undo everything the script has done and start over with the manual procedure and get back up and running as I use this laptop for work daily. One bug I did notice is it started installing certs to any folder named .pki/nssdb (including in all my cross compiled distros I use to test on diff SBCs at work) instead of just the current $HOME, so I am not sure if that contributed to this problem. Thanks.
My apologies for the delay. It is unlikely that the DoD certs being present in the other NSSDBs caused an issue with your CAC reader. It seems more likely that either the middleware or CACKey caused this issue. You could try simply removing CACKey and trying OpenSC using the following commands:
sudo apt purge cackey
sudo apt install opensc
reboot
The reboot is only necessary to allow OpenSC to write the proper configuration to all of the different pkcs11.txt files, which it does automatically upon reboot.
To answer your original question, the script installs the following (providing the full command):
apt install -y libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools unzip wget
You would need to add cackey to this list, which I install manually to hold to a specific version. Simply running the following will remove all of these tools (remove anything that you would like to keep):
sudo apt remove cackey libpcsclite1 pcscd libccid libpcsc-perl pcsc-tools libnss3-tools unzip wget
While these shouldn't affect much, you will also want to remove the following lines from any pkcs11.txt file for a full purge:
library=/usr/lib64/libcackey.so
name=CAC Module
Please let me know if I can help in any other way. If this solves your problem, please close this issue.
My apologies for the delay. It is unlikely that the DoD certs being present in the other NSSDBs caused an issue with your CAC reader. It seems more likely that either the middleware or CACKey caused this issue. You could try simply removing CACKey and trying OpenSC using the following commands:
Please remove that apt remove code block, if someone runs that without thinking they're likely to brick their system. Or update it to be safe about removing dependencies, which aren't handled well by apt at times.
Please remove that apt remove code block, if someone runs that without thinking they're likely to brick their system. Or update it to be safe about removing dependencies, which aren't handled well by apt at times.
@tfrum, what is it about that command that could damage a system? I understand I am a small sample size, but I have run that many times with no issues. One could argue that removing libnss3-tools, unzip, or wget might be unnecessary or disrupt something that depends on them, but you could reinstall them, which is why I made a note to omit anything that one wanted to keep. Additionally, it is remove instead of purge, which would not remove associated configuration files, thus a reinstallation would return the original state of whatever utility.
I don't mean for this to come off as rude, but I don't know a better way to ask. I'm fine with changing the command or simply listing the installed dependencies for people to remove manually.
@jdjaxon No rudeness taken. Frankly it's only an issue because we know that some users won't read before running the code, so it's a best-practice/responsibility to be conservative when doing uninstall commands.
For users who aren't experienced enough to undo the changes of this script and who will likely just accept apt's remove command, this would leave them without any chromium-based browser or wifi, at least. They might not even notice until after closing the terminal.
For example, on my system:
brave-browser ca-certificates-java default-jre-headless file-roller hplip libccid libnss3-tools libpcsc-perl libpcsclite1 openjdk-11-jre-headless pcsc-tools pcscd unzip wget wpasupplicant
The brave-browser here is being removed for depending on wget, as woudl Chrome. Apt's default behavior is just to sweep it up in the auto-remove operation, which has been bricking Debian-based installs for inexperienced users for years.
@jdjaxon No rudeness taken. Frankly it's only an issue because we know that some users won't read before running the code, so it's a best-practice/responsibility to be conservative when doing uninstall commands.
For users who aren't experienced enough to undo the changes of this script and who will likely just accept apt's remove command, this would leave them without any chromium-based browser or wifi, at least. They might not even notice until after closing the terminal.
For example, on my system:
brave-browser ca-certificates-java default-jre-headless file-roller hplip libccid libnss3-tools libpcsc-perl libpcsclite1 openjdk-11-jre-headless pcsc-tools pcscd unzip wget wpasupplicantThe brave-browser here is being removed for depending on wget, as woudl Chrome. Apt's default behavior is just to sweep it up in the auto-remove operation, which has been bricking Debian-based installs for inexperienced users for years.
That's a fair argument, and I truly appreciate the input. What would you recommend as a better way to handle this? I certainly don't want anyone running into issues due to a potential oversight that is preventable.