linux_cac icon indicating copy to clipboard operation
linux_cac copied to clipboard
verified publisher icon jdjaxon

Issues on Ubuntu 24.10

Open dfego opened this issue 1 year ago • 4 comments

I've had some success with this with my SmartCard on Ubuntu 24.10, but am having two specific issues (which maybe should be split up). Of note, I'm not using a CAC, but a SmartCard.

  1. Chrome is seeing my reader and certificate, and I can get through an IdenTrust test, but the website I'm trying to get to work simply "didn’t accept your login certificate, or one may not have been provided." I suspect it's not being presented with it, because I don't get a prompt to load it when I just go to that site. Even if I got to the browser settings and it loads, it doesn't change anything.
  2. Firefox doesn't seem to see my hardware device, and doesn't seem to be loading at all. I did uninstall the snap version and get the apt version.

I'm not 100% sure if this is supposed to work for my use case, but it feels so close, and I'm not sure why Chrome isn't asking for my cert.

dfego avatar Dec 04 '24 20:12 dfego

Maybe a goofy question, but how long ago did you run the script? It now uses OpenSC instead of CACKey.

According to OpenSC's wiki it should work for all smart cards:

OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows' Smart Card Minidriver and macOS CryptoTokenKit.

Here are some actions you likely completed, but I have to verify:

  • [ ] Run browsers to init databases before running the script
  • [ ] OpenSC is now your installed middleware
  • [ ] Ensure the pkcs11.txt points to OpenSC by running pkcs11-register
  • [ ] Restart pcscd services with the following:
sudo systemctl restart pcscd && sudo systemctl status pcscd

If you do have OpenSC, you can run the following command to see if it sees your specific reader:

opensc-tool --list-readers

This command and others can be found here.

Follow up here if all of this checks out and the issue persists.

jdjaxon avatar Dec 04 '24 21:12 jdjaxon

Thanks for trying to help out! I've installed this today for the first time, but even so I did make sure I didn't have CACKey installed.

Let's see, running through these:

Run browsers to init databases before running the script

Yep, done.

OpenSC is now your installed middleware

Not sure what this means, but if I run opensc-tool -n it does show my reader and card.

Ensure the pkcs11.txt points to OpenSC by running pkcs11-register

Run it!

Restart pcscd services with the following:

Done!

And the opensc-tool --list-readers command shows my reader and the card.

After the above, no changes to the behavior on either Chrome or Firefox as far as I can tell.

dfego avatar Dec 04 '24 21:12 dfego

I have a two ideas for Chrome:

  • If the site you are trying to access isn't affiliated with the DoD, there may be CA certificates that you will need that were not installed by the script.
  • It may be caching the page, so you could also try clearing the cache and retrying.

The issue with Firefox seems to have the same behavior as the issue with the snap-version of Firefox. Apt Firefox tends to be the browser i have the fewest issues with. I'll do some digging on this though. You can go to Preferences > Privacy & Security > Security Devices to manually check if Firefox can see the module.

jdjaxon avatar Dec 04 '24 21:12 jdjaxon

Thanks for your help again!

The site is a .mil domain, so I imagine the relevant certificates would be there, but I'm not sure.

I took your advice and tried clearing the cache, but no dice.

As for Firefox, I can confirm that Security Devices menu does not see my reader.

dfego avatar Dec 04 '24 22:12 dfego