By now you’ve likely heard the benefits of two factor authentication. Enabling multi-factor authentication can increase the security of accounts you use to access various social media websites like Twitter, Facebook, or even your Google Account. This post is going to be about a bit more.
The U.S. Armed Services spans millions of military and civilian employees. If you’re a member of these services, you’ve probably been issued a DoD CAC smartcard to access various websites. With the smartcard comes compatibility issues, specific instructions tailored to each operating system, and a host of headaches. It’s difficult to find reliable instructions to access military websites from Linux operating systems. This article shows you how to set up your Fedora system to login to DoD CAC enabled websites.
Installing and configuring OpenSC
First, install the opensc package:
sudo dnf install -y opensc
This package provides the necessary middleware to interface with the DoD Smartcard. It also includes tools to test and debug the functionality of your smartcard.
With that installed, next set it up under the Security Devices section of Firefox. Open the menu in Firefox, and navigate to Preferences -> Advanced.
In the Certificates tab, select Security Devices. From this page select the Load button on the right side of the page. Now set a module name (“OpenSC” will work fine) and use this screen to browse to the location of the shared library you need to use.
Browse to the /lib64/pkcs11/ directory, select opensc-pkcs11.so, and click Open. If you’re currently a “dual status” employee, you may wish to select the onepin-opensc-pkcs11.so shared library. If you have no idea what “dual status” means, carry on and simply select the former package.
Click OK to finish the process.
Now you can navigate to your chosen DoD CAC enabled site and login. You’ll be prompted to enter the PIN for your CAC, then select a certificate to use. If you’re logging into a normal DoD website, select the Authentication certificate. If you’re logging into a webmail service such as https://web.mail.mil, select the Digital Signing certificate. NOTE: “Dual status” personnel should use the Authentication certificate.
The same process works for the PIV card format used by US Federal civilian agencies. See also https://sagecreeksoft.blogspot.com/ for some additional hints on obtaining the intermediate certs that may or may not be installed by default on a Fedora system.
Thank you for posting the detailed instructions for the brave men and women in the US military! This story speaks volumes of the Fedora’s readiness to serve people beyond the usual geek/IT/engineering crowd. It’s an example for other security conscious organizations. It’s also a reminder for Fedora’s developers that Fedora is serving people who put they lives on the line. Security issues should be treated accordingly.
I hope to see more stories like this, showcasing the security technologies present in Fedora.
Do you think you would be able to contribute to this website?:
I’ve visited that page many times seeking help for Windows systems, so I’d be happy to help.
Are you in contact with one of the site admins?
Khris thank you for the post.
Been using the CaC on Fedora and Firefox for some years but instead of the opensc module, been using the libcoolkey module. When accessing a site and using the opensc pkcs11 module you get a pin and certificate selection prompt multiple times. Using the libcoolkey only prompt once for certificate selection. Card reader is OMNIKEY AG CardMan 3121
sudo dnf install -y coolkey
Note that coolkey is being replaced by opensc. See:
You may want to report as bugs an significant differences between them.
is there any way to use my biometric scanner to login into fedora