Friday, July 9, 2021

How to Setup CAC/PIV Cards on Ubuntu Linux 20.04LTS

NOTE: Verified to work with PIV/CAC Cards

NOTE: Do not use a Regular USB if you are traveling. Only use a Military Grade FIPS 140-2, Level 3 Certified Device. Do Not use that Fingerprint reader garbage. What if your finger got chopped off? Use a Pin you can easily remember because if you forget it, your VM and data on the USB will be toast and not recoverable. 

NOTE: This tutorial is for a bare-metal Ubuntu Linux 20.04 LTS laptop, not a virtual machine. Make sure you encrypt your laptop during OS installation. Do NOT be an idiot and use the same encryption password as the OS login.

https://www.amazon.com/iStorage-datAshur-PRO2-Secure-Encrypted/dp/B07VK7JTQT/ref=sr_1_1?dchild=1&keywords=istorage+datashur&qid=1625886216&sr=8-1

1. Purchase an ACS Smart Card reader (Manufacturer Code: ACR39U-N1)

https://www.amazon.com/ACS-ACR39U-N1-Pocketmate-II/dp/B0758TS5JR

https://www.acs.com.hk/en/products/426/acr39u-n1-pocketmate-ii-smart-card-reader-usb-type-a/ (PS/SC Drivers are located under the "Downloads" tab)

https://www.scbsolutions.com/express/product_info.php?products_id=183


2. Official Ubuntu Wiki Docs:

https://help.ubuntu.com/community/CommonAccessCard


3. Install the PCSC Drivers and tools to make sure the card is working:

sudo apt-get install updates -y && sudo apt-get upgrade -y

sudo apt install pcsc-tools libness3-tools

sudo systemctl enable pcscd

pcsc_scan

modutil -dbdir sql:.pki/nssdb/ -list

Note: Make sure the PIV/CAC is inserted and the USB is inserted. Now when you run the pcsc_scan in Terminal you should see results. If you don't see results, it's not working. Run the modutil command to see the listing of the PKCS #11 Module


4. P2V your Laptop using VMware Converter: https://www.vmware.com/products/converter.html (Note: If you don't know how to use VMware Converter, you likely have no business doing this so don't) If VMware converter fails with a minor error and your at 98% don't worry about it. The VM is good to go.


5. After you have P2V'd your laptop, save the files to a large USB 3.0 (don't use 2.0 USB's, they're too damn slow). 128GB and up. 

6. Install VMware Player or VMware Workstation for Linux (VMware Player is Free for non-commercial but VMware Workstation is Paid and you can use it the 1st 30 days for free):

https://my.vmware.com/en/web/vmware/downloads/details?downloadGroup=WKST-PLAYER-1612&productId=1039&rPId=66621

https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html

7. Make sure you enable an Ubuntu Firewall and install fail2ban (don't take stupid risks with your cybersecurity and cyber hygiene):

sudo apt-get fail2ban

sudo systemctl enable fail2ban

8. Control your LAN connection with a VPC (Do NOT use Public Wifi unprotected!!). Stay **FAR** away from free VPN's. You have been warned. Unless you have a VPN to your own personal AWS/Azure/GCP VPN server that you protect and maintain, but save the hassle and just pay for one or control your own and lock it DOWN! If you don't know what your doing or your not comfortable with the command line. Pay for the damn VPN.

https://www.mozilla.org/en-US/products/vpn/

https://surfshark.com/

NOTE: Make sure your solution works natively for Ubuntu Linux 18.04 LTS and Later

9. Import your laptop VM into VMware Player or VMware Workstation (If you have vmmon module errors, fix that first or you will spend hours trying to get the VM to boot). PRO TIP: Create a dummy VM first and make sure the OS boots before you give yourself a brain aneurism trying to figure out why the VM is not booting. Once you make sure the VM is booting, you can import the laptop.

10. Boot your laptop and make sure you join/insert the Shared SmartCard to the VM. Make sure that as it's booting you connect the SC to the VM (It's in the lower right-hand corner with a Red X). Make sure you click connect.

11. Login to the VM and type your Smart Card PIN. Boot and log in.

12. Join your organization's VPN from the Smart Card (this is how Windows will activate your OS). 

13. Load MS Outlook/Teams and any other Org software and make sure it's launching and working.

14. MS Outlook will take a long time to load your mailbox on less than 4GB of RAM and 2CPU's and if your using less than an Intel i7 processor so be patient.




Share:

0 comments:

Post a Comment