2

I'm trying to set up smart card browser support for all users of a system on LTS 20.04. I've read quite a few guides, including this one:

https://help.ubuntu.com/community/CommonAccessCard

but most seem to end up with a command similar to this:

modutil -dbdir sql:.pki/nssdb/ -add "OpenSC" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Which works, but each user would have to run that (on every system they use). If I try to create /etc/pki/nssdb and use a similar command, it appears to do nothing.

I've come across the following:

dpkg-divert --rename --add /usr/lib/firefox/libnssckbi.so
dpkg-divert --rename --add /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so
ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so

which apparently has worked for others, but even after doing this, unless I modify ~/.pki/nssdb Chrome doesn't work, and unless I add a security device to Firefox (which I can at least do system-wide with a .json file) it doesn't "see" my smart card either.

(I even installed Edge and tried that, but it behaves identically to Chrome. Can't get the Teams app to see my smart card no matter what, but that's another story.)

Ray Shaw
  • 21

1 Answers1

0

For Firefox you can use a global policy

{
 "policies": {
   "SecurityDevices": {
      "scInterface": "/usr/local/lib/libcvP11.so"
    }
  }
}

to be placed under /usr/lib/firefox/distribution/policies.json (At least for Ubuntu 20.04) Some more infos you may refer to https://support.mozilla.org/en-US/kb/managing-policies-linux-desktops and for a list of all possible policies you may refer to https://github.com/mozilla/policy-templates

I haven’t found a way to do this for Chromium at the moment. It seems possible to have a global nss database, but it seems to be ignored by Chromium. Looking forward to hear a working solution and sorry for being able to provide one here.

Tilman
  • 1