Terminal Service Client and Card Reader Login

[randyklein99]

I'm trying to login to my work computer. It requires first a VPN with a DOD CAC using a card reader and pin. Then a remote desktop connection using the same CAC and pin.

I have successfully followed the instructions here to establish a VPN connection through a web-based Cisco anyconnect.

But all my attempts at a remote desktop connection failed because I don't have the option of logging in with the CAC and pin.

The only google searches I have found that address this problem is this one.

But I'm new to linux, so I may not be following the guide that well. I especially don't know what step 2 is all about.

Any ideas?

[randyklein99]

So I finally figure it out, or all my random tinkering since the OP did it by magic. But I think what made it work was the following interpretation to the second hyper link in the OP:
1. downloaded the rdesktop to /usr/local/src instead of /home
2. a -- looks like a long dash in my browser

Those two things seemed to do the trick. So now I can rdesktop -r scard server just fine.

And if anyone reading this knows knows, must you download files into that directory?

[randyklein99]

Also, is there a way to integrate the "-r scard" parameter in the Terminal Server Client?

[randyklein99]

Ok, I think I have figured it out. Apparently it was the random tinkering that did it and not what I mentioned above. But I have been able re-tinker the randomness after a clean install of Jaunty.

Hopefully this isn't only my application-specific instructions. But if it is, rest assured that this will allow you to VPN into AFIT's servers and then rdesktop to one of the terminal servers using only your DoD CAC and pin.

And since this seems to be a thread to only me and myself, I imagine no one will mind me laying out the steps here so I can re-do again in the future.

The steps are a compilation from two websites:
http://symbolik.wordpress.com/2007/0...ders-on-linux/
http://symbolik.wordpress.com/2007/0...-rdesktop-15x/

And just in case these links ever die, here's what they say (with the appropriate credit due):

# Download the following tarball files and extract them (tar xvfz filename.tar.gz):

* libusb - Project URL:”http://libusb.sourceforge.net/”
* pcsc-lite - Project URL:”http://pcsclite.alioth.debian.org/”
* pcsc-tools - Project URL:”http://ludovic.rousseau.free.fr/softwares/pcsc-*tools/“
* ccid - Project URL:”http://pcsclite.alioth.debian.org/ccid.html“
* CoolKey - Project URL:”http://directory.fedora.redhat.com/wiki/CoolKey“

# Make the install directories, along with a critical build-time directory - “mkdir -p /usr/cac/lib/pkgconfig”
# Set the build variable - “declare -x PKG_CONFIG_PATH=/usr/cac/lib/pkgconfig” - this is only needed for building, not later using these tools.
# Change to the respective directories and configure/make/make install:

* cd libusb0.1.12 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
* cd pcsclite1.4.0 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
* cd pcsctools1.4.8 && edit “Makefile” - change “DESTDIR” to “/usr/cac” && make && make install, then cd up one directory
* cd ccid1.2.1 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory
* cd coolkey-1.1.0 && ./configure –prefix=/usr/cac && make && make install, then cd up one directory

In continuing to integrate CAC into Linux, I went to the RDesktop SourceForge CVS website, followed the cvs download directions (using “rdesktop” as the modulename), and downloaded the latest version of rdesktop, which is supposed to have smartcard reader support. This piggybacks off of the installation of the CAC reader software in the previous post.

Once downloaded, cd to the rdesktop directory and do the following:

1. Run the command “declare -x PKG_CONFIG_PATH=/usr/cac/lib/pkgconfig”
2. “./configure –prefix=/usr/cac –enable-smartcard” - look for the line, “checking for PCSCLITE:” - it should say “yes” (thanks to the previous “declare” command)
3. make && make install
4. Run with “rdesktop -r scard <remote IP>:<remote port>

Also, keep in mind that I did this after following the instructions on this link. So I have no idea if the following is redundant or overwrites what I previously did. Hopefully someone else can figure that out.

Now for the nifty code stuff that I actually ran after extracting all the files to their directories in my home/user directory (with updated version numbers than in the above quotes):

Code:

sudo mkdir -p /usr/cac/lib/pkgconfig

Code:

declare -x PKG_CONFIG_PATH=/usr/cac/lib/pkgconfig

Code:

cd libusb-1.0.0 && ./configure --prefix=/usr/cac && make && sudo make install && cd

Code:

cd pcsc-lite-1.5.3 && ./configure --prefix=/usr/cac && make && sudo make install && cd

Code:

cd pcsc-tools-1.4.15 && gedit Makefile

****Not code but text changes inside Makefile**** 
change “DESTDIR” to “/usr/cac”
****code continues****

./configure --prefix=/usr/cac && make && sudo make install && cd

Code:

cd ccid-1.3.10 && ./configure --prefix=/usr/cac && make && sudo make install && cd

Code:

cd coolkey-1.1.0 && ./configure --prefix=/usr/cac && make && sudo make install && cd

Code:

cd rdesktop-1.6.0 && declare -x PKG_CONFIG_PATH=/usr/cac/lib/pkgconfig && ./configure --prefix=/usr/cac --enable-smartcard && make && sudo make install && cd

That's it. If you then VPN in and run:

Code:

rdesktop -r scard <remote IP>:<remote port>

you should have CAC login ability to a terminal server.

Or for a full-screen (toggle with CTRL - ALT - ENTER):

Code:

rdesktop -fr scard <remote IP>:<remote port>

Also, I found out that in order to get my VPN with Cisco Anyconnect working, I needed the latest JRE and java plugin:

Code:

sudo apt-get install sun-java6-jre sun-java6-plugin

Otherwise the Anyconnect would just sit there and then fail.

Well, hopefully I have properly captured the random tinkering I did to accomplish this from a fresh install. And if anyone else reads this thread with a similar problem, I hope it works for you.

[randyklein99]

Update:

The Cisco AnyConnect does not work with 64 bit ubuntu, since there doesn't seem to be a 64bit AnyConnect. However, there seems to be a work around using a 32 bit Firefox, but I haven't tried that yet.

[derAuslander]

Thanks for your excellent write up and work. I'm currently working on getting this all to work in Ubuntu 9.04 and I'll edit this post with my findings.

Just wanted to let you know that someone is paying attention.

[particle02]

I'm also trying to get this to work on 9.04. I have my CAC working with Firefox, but not with AnyConnect client or the web-based VPN service. I was hoping randyklein99 might be able to help me out. I just started at AFIT. Thanks for your help.

[randyklein99]

If you're using 64 bit, I haven't figured out a way yet. Not that there isn't a way, I just haven't explored it yet.

Let me know if you're using 64 or 32 bit 9.04

[particle02]

I'm using 32-bit 9.04.

I have the anyconnect software installed from the web-based vpn server. When I launch it I get the screen asking for the IP address. I use the one I found in the .PCF file for VPN access (ends with 246.249). It then pops a warning with Certificate information and the message: "Warning: The following Certificate received from the Server could not be verified:". I click accept. It then gives the following error "Certificate Validation Error" at the bottom of the window. I have tried to send stderr and stdout to a file, but it is always blank. I do have Java installed.

When I try to use the web-based SSL VPN, everything works fine until I try to connect to one of the servers with RDP. It pops up a window asking to select a certificate (looks like a java pop-up) but doesn't list any certs.

Thanks for your help.

[randyklein99]

So have you compiled rdesktop with smart card enabled? And if so, are you sure you are running the compiled version and not the previous one?