To configure smart card redirection on an Ubuntu virtual machine (VM), install the libraries on which the feature depends and the root Certificate Authority (CA) certificate to support the trusted authentication of smart cards. In addition, you must edit some configuration files to complete the authentication setup.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.
Placeholder Value |
Description |
dns_IP_ADDRESS |
IP address of your DNS name server |
mydomain.com |
DNS name of your AD domain |
MYDOMAIN.COM |
DNS name of your AD domain, in all capital letters |
MYDOMAIN |
DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters |
ads-hostname |
Host name of your AD server |
ads-hostname.mydomain.com |
Fully qualified domain name (FQDN) of your AD server |
mytimeserver.mycompany.com |
DNS name of your NTP time server |
AdminUser |
User name of the VM administrator |
Procedure
- Install the required libraries on the Ubuntu VM.
apt-get install -y pcscd pcsc-tools pkg-config libpam-pkcs11 opensc
libengine-pkcs11-openssl libnss3-tools
- Install a root CA certificate.
- Download a root CA certificate and save it to /tmp/certificate.cer on the Ubuntu VM. See How to Export Root Certification Authority Certificate.
- Locate the root CA certificate that you downloaded, and transfer it to a .pem file.
openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
- Use the certutil command to install the root CA certificate to the system database /etc/pki/nssdb.
Replace "root CA cert" in the following example command with the name of the root CA certificate in the system database.
certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i /tmp/certificate.pem
- Copy the root CA certificate to the /etc/pam_pkcs11/cacerts directory.
mkdir -p /etc/pam_pkcs11/cacerts
cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
- Create a pkcs11 hash file.
chmod a+r certificate.pem
pkcs11_make_hash_link
- Copy the required drivers and add the necessary library files to the nssdb directory.
- Run commands similar to the following example.
These example commands show how to add
libcmP11.so, the driver file for the Gemalto PIV 2.0 card, to the
nssdb directory. In place of
libcmP11.so, you can substitute the driver file for your smart card.
cp libcmP11.so /usr/lib/
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb
certutil -A -n rootca -i certificate.pem -t "CT,CT,CT" -d /etc/pki/nssdb
modutil -dbdir /etc/pki/nssdb/ -add "piv card 2.0" -libfile /usr/lib/libcmP11.so
- Verify that the expected certificate is loaded successfully by running the following command.
# certutil -L -d /etc/pki/nssdb
Verify that the command returns output similar to the following example.
Certificate Nickname
rootca
- Verify that the expected libraries are added successfully by running the following command.
modutil -dbdir /etc/pki/nssdb -list
Verify that the command returns output similar to the following example.
Listing of PKCS #11 Modules
–-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. piv card 2.0
library name: /usr/lib/libcmP11.so
slots: There are no slots attached to this module
status: loaded
–-----------------------------------------------------------
- Configure the pam_pkcs11 library.
- Create a pam_pkcs11.conf file using default example content.
- For Ubuntu 18.04 or 20.04, run the following command sequence.
mkdir /etc/pam_pkcs11
zcat /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz | tee /etc/pam_pkcs11/pam_pkcs11.conf
- For Ubuntu 20.04.1 or later, run the following command sequence.
mkdir /etc/pam_pkcs11
cat /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example | tee /etc/pam_pkcs11/pam_pkcs11.conf
- Edit the /etc/pam_pkcs11/pam_pkcs11.conf file as shown in the following example.
use_pkcs11_module = mysc;
pkcs11_module mysc {
module = /usr/lib/libcmP11.so;
description = "LIBCMP11";
slot_num = 0;
ca_dir = /etc/pam_pkcs11/cacerts;
nss_dir = /etc/pki/nssdb;
cert_policy = ca;
}
...
use_mappers = cn, null;
...
mapper cn {
debug = false;
module = internal;
# module = /lib/pam_pkcs11/cn_mapper.so;
ignorecase = true;
mapfile = file:///etc/pam_pkcs11/cn_map;
# mapfile = "none";
}
- Edit the /etc/pam_pkcs11/cn_map file so that it includes the following line.
- Edit the /etc/pam.d/gdm-password configuration file. Place the pam_pkcs11.so authorization line before the common-auth line, as shown in the following example.
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
auth sufficient pam_pkcs11.so
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
- To verify the smart card hardware and the certificates installed on the smart card, run the following commands.
pcsc_scan
pkcs11_listcerts
pkcs11_inspect
- Configure the pcscd service to start automatically after the VM restarts.
Note: If the pcscd service does not start after the VM restarts, the first login attempt through pam_pkcs11 fails.
- Edit the /lib/systemd/system/pcscd.service file by adding the line
WantedBy=multi-user.target
to the [Install] section.
Verify that the edited file resembles the following example.
[Unit]
Description=PC/SC Smart Card Daemon
Requires=pcscd.socket
[Service]
ExecStart=/usr/sbin/pcscd --foreground --auto-exit
ExecReload=/usr/sbin/pcscd --hotplug
[Install]
WantedBy=multi-user.target
Also=pcscd.socket
- Enable the pcscd service.
systemctl enable pcscd.service
- Update the PC/SC Lite library to version 1.8.8.
apt-get install -y git autoconf automake libtool flex libudev-dev
git clone https://salsa.debian.org/rousseau/PCSC.git
cd PCSC/
git checkout -b pcsc-1.8.8 1.8.8
./bootstrap
./configure --prefix=/usr --sysconfdir=/etc --libdir=/lib/x86_64-linux-gnu/ CFLAGS="-g -O2
-fstack-protector-strong -Wformat -Werror=format-security" LIBS="-ldl" LDFLAGS="-Wl,
-Bsymbolic-functions -Wl,-z,relro" CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2"
make
make install
- Install the Horizon Agent package, with smart card redirection enabled.
sudo ./install_viewagent.sh -m yes
- Restart the Ubuntu VM and log back in.