Welcome to linux_cac Discussions!

[jdjaxon]

👋 Welcome!

We’re using Discussions as a place to ask questions and share any ideas. Feel free to:

• Ask questions you’re wondering about.
• Share ideas.
• Engage with other community members.

To get started, comment below with any questions or ideas you have.

[Batrachomyomachia]

Question-DOD cac and remote desktop? So, wondering if anyone knows how to fix this. Installed and CAC is working fine on linux (Ubuntu and Pop OS in my case) but there are certain functionalities that are unavailable (mainly decrypt and cac document sign). DOD has its remote desktop capability, so a DOD windows system you can sign on to from a linux machine through a url. This works fine as well, the problem comes when the remote windows machine attempts to call the cac credentials (the examples would be to decrypt an email or sign an adobe document). It appears to me that the remote desktop has no ability to access the USB CAC on a windows machine (I've tried on several distros and always get the same result, it shows no cac available despite the fact that I used the cac on linux to sign into the remote desktop in the first place). Is there a solution (command or configuration) that would allow the DOD remote windows desktop to access the physical USB cac reader on a linux machine? Really want to figure this out and spread the TTP to other DOD members.

[jdjaxon]

I have never used this, so forgive me if this is a dumb question. Is there a way to bridge the device similar to the way you can when using a virtual machine?

[Batrachomyomachia]

Yeah thats a possibility but I haven't figured out a way to get it to work. I can't help but think there is a really simple solution here about setting the configuration somehow so it allows remote machine access to the physical devices but I'm not having any success so far.

…

On Tue, Aug 8, 2023 at 6:42 AM Jeremy Jackson ***@***.***> wrote: I have never used this, so forgive if this is a dumb question. Is there a way to bridge the device similar to the way you can when using a virtual machine? — Reply to this email directly, view it on GitHub <#14 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKSYN6ETFAWJXPFQAOPLFM3XUI65PANCNFSM6AAAAAA3C4JYGY> . You are receiving this because you commented.Message ID: ***@***.***>

[pdzaffina]

I don't think this answers your actual question but I thought I'd share anyway just in case. I've had good success using the remote program for AVD through the web only interface.

https://client.wvd.azure.us/arm/webclient/index.html

[m2Giles]

Was there any consideration of installing the certs to the system SSL store instead of installing into user databases for each browser?

Coolkey should also be looked at. Compared to cackey it shouldn't require any pinning and is also in repos. One of my installs has had it running since 19.10.

For the remote desktop. I've been able to forward a smartcard using remmina. It's an option in the rdp connection settings. However, I've only tested with personal windows installs but they can use the local smart card.

Solid script. Definitely will keep in my pocket for any Ubuntu boxes in the future.

[jdjaxon]

I knew of the system SSL store, but I honestly didn't even consider it when I first made this. That is a good idea. I'll look into it. At a cursory glance, it seems pretty straightforward.

I'll look into Coolkey as well. I only went with cackey because, of all the different middleware, it was the one that I had the most consistent success with while creating the script. I could have easily just been screwing up something completely unrelated to any of the middleware at that point. It's worth looking into Coolkey again. Another user had mentioned a way of eliminating the pinning issue with cackey, but I haven't yet had time to test it.

I appreciate your feedback!

[m2Giles]

I have got flatpaks to work with pkcs#11 tokens now. I haven't poked around enough with snaps to see if that's possible. There seems to be something available with pcscd.

Flatpaks could be an alternative path if they have flatpak already installed on the system. This was on Fedora so unsure how much of the glue is even missing.

[deboard]

Great script! The militarycac instructions didn't work this time, but this script did.