Interesting Smartcard Behavior…

I ma no expert on smartcards (we use Common Access Cards, or CAC, at work).  Recently, I wqaas having issues with ActiveClient reading my card, which told me I had mistyped my pin twice.  Once more, and it would lock out my card.  So I went and asked a coworker how long the timeout is.  He told me there is no timeout – the card count is reset with a successful login.

Worried, I went to my Linux box and logged into webmail with my card, successfully.  Afterwards, ActiveClient on the other machine saw the card fine.

I had a chance yesterday to retest this behavior when another coworker was having similar issues with his card.  He had tried at two different machines to log in with his smartcard, and each time, it was unable to read his card (I did not see the exact error message, but it was not an incorrect PIN entry).  So I offered to let him try on my Linux box (I am the only one using Linux as a workstation), and he was quite surprised to be able to log into webmail from there.  Afterwards, his card worked fine on ActiveClient Windows machines, which was a relief to him, since he had assumed a trip to the ID card office (and a long wait) were in store for him.

I surmise that something on his card got a little scrambled and the Windows ActiveClient could not read what it needed.  The PCSC client, however, not only worked without flaw, it also seemed to clear whatever was bugging ActiveClient.

So, if this happens again, I hopefully will be able to spare someone else a trip to the ID card office.

Got a Netbook…

I am going to a conference soon, and my wife cannot part with her laptop now, so I bought a $300 Asus Eee-PC netbook (1005HAB), with a 9-cell battery that gives me close to 9 hrs of battery time.  I bought it online through Best Buy (I know, I know), and picked it up at the store a few days later.  I had Windows7 Starter Edition on it.  I prepped a USB drive using a the KDE Startup Disk Creator program and the Kubuntu 10.04 Netbook Edition ISO.  I had to find the BIOS first (F2), and tell the netbook to boot from USB, but after that, Kubuntu Netbook installed without a hitch.  I chose to wipe everything, since the netbook came with the OS media (if I ever want to install Windows, yuck – but hey, I paid for it).  I set it up with separate partitions (including /boot) and formatted everything with EXT4 (for later conversion to btrfs when the 2.6.36 kernel comes out).

Everything worked right out of the box.  Including wireless and suspend-resume.  Sweet.  It is a little slow, but who cares?  This thing is so neat.  I am a little addicted to being able to go anywhere around the house now and surf, blog, email, and administer the other machines from this thing.  When I am done, I can close the lid, and later open it back up, wait a bit, and then be prompted to unlock the screen and get back online, no sweat.

In addition to updating the kernel to 2.6.35-17 and updating KDE to version 4.4.5, I also installed the MediBuntu repositories, set up the USB smartcard with Acrobat Reader, Firefox, and Thunderbird, and got the camera working with the new gmail video chat software.  One more thing – to get the function keys to work, I had to edit my /etc/default/grub file and change the line



GRUB_CMDLINE_LINUX_DEFAULT="quiet splash acpi_osi=Linux"

I also installed “eee-control-tray” from the repositories for better control over the camera, touchpad, etc.  The only thing I do not like is the touchpad, in fact.  When scrolling on a web page, it likes to keep scrolling whenever I move it into the page to click on a a link.  I use a USB wireless mouse now.  We are taking this thing everywhere we go now.

Now Using Kubuntu 10.04 Lucid Lynx…

Well, I finally upgraded my work machine from Jaunty to Lucid about a month ago, and really liked what I saw.  I was using 64-bit, and got sick and tired of all the little issues with flash, Java, and Acrobat Reader., so I switched to 32-bit instead.  KDE4 seems much more stable and polished now, and I can sign PDFs with my smartcard now in Acrobat Reader.  Since it worked so well at work, I went ahead and upgraded at home after a couple weeks.  This involved swapping my media computer with my main computer (the old RAID SATA setup I have is getting a little squirrelly), and rebuilding both.  The RAID computer was built using the Alternate Install ISO, which worked well.  In both cases, I lost no data unless I chose to, so the 300 GB of movies I had copied from our DVDs was wiped from the old media server.  I figure I can always recopy them in a smaller format later.  Yesterday, I updated my wife’s laptop, completely rebuilding it (wiped everything after backing up the user data).  I restored her data later and nothing was lost.

Some common things I am doing to customize my Lucid installs of Kubuntu are:

  1. sudo wget --output-document=/etc/apt/sources.list.d/medibuntu.list$(lsb_release -cs).list && sudo apt-get --quiet update && sudo apt-get --yes --quiet --allow-unauthenticated install medibuntu-keyring && sudo apt-get --quiet update (from
  2. sudo apt-get --yes install app-install-data-medibuntu apport-hooks-medibuntu
  3. sudo apt-get install libdvdcss2 w32codecs
  4. Update to a later kernel (currently 2.6.35-17) – sudo add-apt-repository ppa:kernel-ppa/ppa && sudo apt-get update
  5. sudo apt-get install linux-headers-2.6.35-17 linux-headers-2.6.35-17-generic linux-image-2.6.35-17-generic linux-maverick-source-2.6.35
  6. Update to a later version of KDE4 (currently KDE 4.4.5) – sudo add-apt-repository ppa:kubuntu-ppa/ppa && sudo apt-get update && sudo apt-get dist-upgrade

So far, things work very well.  The computer with squid, squidGuard, and dansguardian is not going to be upgraded, however.  Another thing – no more XFS.  I now use EXT4 with everything, and have a separate /boot partition.  This is so I can more easily convert to btrfs when 2.6.26 comes out.  I read that btrfs suffered a large performance regression in the 2.6.35 kernel, so I will hold out for the 2.6.36 kernel instead.

Dual-boot Laptop – Vista and Kubuntu 9.04…

I started last night.  First, I decided to use the 32-bit LiveCD installer.  I booted off the CD after shutting down Microsoft Windows Vista Home Premium, and soon was at the GUI (I chose the first option; to test before installing).  Once there, i opened up a konsole session, ran “sudo -i” to get root, and installed gparted – “apt get install gparted”.  After it installed (to RAM of course), I ran it to see what I could do.


I could not resize the 140 GB partition Windows called a “C drive”, because I forgot to defragment it first.  Crap.  So I booted back into Windows, Safe Mode.  I found the defrag tool under the System Accessories, but it would not run.  I tried from the command prompt as well.  I rebooted, into SAFE Mode With Console, and it still wouldn’t work.  I finally just rebooted into Vista normally – then it worked.  It gave no status other than a flickering hard drive light and a spinning cue that meant it was not finished.  Eventually, it did finish.  It claimed to have been doing it on a schedule, and the last defrag was back on the 5th of May, yet it took over two hours to complete.  Guess what?  It made all the difference in the world.  I suspect it wasn’t really defragmenting after all.

Once I rebooted into Kubuntu Live CD and reran gparted, I was able to resize it.  The first attempt failed – I cut it too close to the bare minimum space i could shrink the drive.  I decided to split it 50-50, giving about 70 GB for each side, and then it worked.  This took another hour, but I had 70 GB or free space.  I went into cfdisk and manually made a 10 GB bootable partition for root, a 3 GB for /var, a 2 GB for /tmp, a 2 GB for swap, and the rest for /home.  i then rebooted into Windows.

Windows behaved as expected, like it had been punched int the mouth, but didn’t know by whom.  It rescan itself, determined that everything was still ok, and rebooted again.  This reboot came up fine.  Satisfied I had not broken Vista, I rebooted a final time back into the Live CD.

I went ahead and formatted everything with XFS except the swap partition:

  • mkfs.xfs -f -d agcount=1 -i attr=2 -l lazy-count=1,size=128m,version=2 /dev/sda3
  • mkfs.xfs -f -d agcount=1 -i attr=2 -l lazy-count=1,size=128m,version=2 /dev/sda5
  • mkfs.xfs -f -d agcount=1 -i attr=2 -l lazy-count=1,size=128m,version=2 /dev/sda6
  • etc…

I then made the swap partition and then installed, choosing to manually select my partitions and not to format them.   I went to bed, abd when I woke up and checked in the morning, it was done.  I had been unable to get wireless to work (no proprietary drivers needed, just would not work) on the Live CD, so I had connected it up via network cable.  Once I booted into the new system, I saw that it had a GRUB entry for Windows (it works).  After logging into KDE, I was able to set up a working wireless connection with no real drama.  I also modified my /etc/fstab to mount the XFS partitions with the following options:


I edited /etc/X11/xorg.conf and added in the section to reenable the CTRL-ALT-BACKSPACE zap for X:

Section "ServerFlags"
      Option          "DontZap"               "false"

I installed the medibuntu repositories, the kubuntu-restricted package, the sun-java6 package, the non-free flash package, the libdvdcss and libdvdread packages, lots of TTF fonts, the MSTTF core fonts, skype2, firefox, thunderbird, and the packages needed for a DoD smartcard.




Thunderbird setup with AKO

Kubuntu-restricted and Sun-JRE6

Xorg no-zap

Results:  It boots and shuts down much faster than Vista.  It is a Compaq lapto, Pentium Core-Duo, 1 GB RAM, uses the ath5k driver for wireless, has an integrated Intel graphics adapter (maybe 800 fps max on glxgears), and a 160 GB SATA drive.  It has sound, a mic, speakers, a DVD writer, some USB ports, and a network jack.  Overall, not too bad for what I need it to do.  But it is a little shaky and unstable from time to time, so I have shut off the compositing effects and unloaded some troublesome widgets (RSS news widget especially seemed flaky).  But the suspend and hibernate functions work great, and the webcam i bought (Logitech) worked right off the bat with skype.  So did my smartcaard reader.  I also installed the Acrobat Reader from the Adobe website – with it, I added the coolkey security device and am able to sign fillable PDF files with my card.  DVDs also play (region-free, of course).

So, these are my ramblings on the notebook.  I dual-booted because my wife insisted I keep Vista, just in case the Linux machine she is on dumps.  But she is getting more comfortable without Vista already – I can tell.

CAC and Microsoft RDP Client 6.0 Problem…

Well, there seems to be more than one, but this is only about the one that hurts me at work the most.  Regardless of the type of smartcard used to login, the new RDP client refuses to present a PIN login, instead prompting for a username and password.  Now, if you’re accounts are setup to require smartcard login, then your password is randomized, so users cannot possibly know it.  So, no login over RDP, which really puts damper on accessing Terminal Server apps.

The solution we used for now is to uninstall the update (KB 925876) – Control Panel, Add/Remove Programs (Show Updates checked).  No reboot needed.

The link I found this at has more info on issues others have had:

Terminal Services Team Blog : Remote Desktop Connection (Terminal Services Client 6.0 for Windows XP and Windows Server 2003…

Backing down to the previous version fixed the issue, and smartcard logins were cleanly passed through the RDP client again.  For now, we have blocked the update on our WSUS server.

Hope this helps!

CAC with Firefox Tip – Selecting Certificates

A quick tip if using a smartcard reader (for things like CAC) with Firefox – some web sites may not work right if you cannot select the proper certificate.  Some sites want the signature certificate and others want the email certificate.  Internet Explorer offers you a choice – Firefox may not, unless you do THIS:

  1.  Open Preferences.
  2. Advanced menu, Certificates – “When a web site requires a certificate”, select the button “Ask me every time”.

This will then force all sites to present you with a choice of certs to use from the card.  A little clunky, but it works well.

SCM SCR-331 USB Smartcard Reader – Firmware Upgrade

Previously, I had trouble getting some of these readers to work under Linux – the ccid software would complain that the reader firmware was “bogus” and needed to be upgraded. To repeat a previous post, there is *NO* visible difference between the right and wrong versions of the readers – both say SCR331 on the dataplate on the bottom of the reader. However, I noticed that the part number of the good reader is 904622, while the PN of the unusable reader is 904054. Digging around got me to the SCM site, with different choices of driver and firmware ZIP files to download. After much trial-and-error, here is the process I found to work ( you must do this on Windows – either a physical or virtual machine):

  1. UPDATED (their site has changed):  Download two files from (there appears to be a Linux utility now, but i have not tried it):
    • SCR331 SCR531 CCID (USB) row x Firmware column – v5.22, filename =
    • SCR331 SCR531 CCID (USB) row x Windows PC/SC CT-API Installer column – v8.18, filename =
    • Try the 331/531 USB or serial files, as you need, and click on Utilites and Diagnostic Tools to get the FWupdate file.  There is also one for Linux, which sounds very interesting.
    • YMMMV – I have not tried these, and I am very tired, so good luck.  If you get good results or even some pain and suffering and want to provide feedback that might help others, please do so.
    • Consider the rest of this post stale – I have no idea what else may have changed, so maybe it still works, maybe it doesn’t.  Sorry.  I’ll get to it later.
  2. Unzip each to the local machine, and turn off any software that uses the card reader (such as the Active Card Gold program that was running in the system tray of the computer I did this on). If you do not, when you run through this process, it will fail with an error message about the card reader being busy. Of course, make sure your reader is plugged into a USB port.
  3. Run the “Setup.exe” file from the SCR3xxx_installer_V8.18 folder, and accept the defaults. Reboot if you like, but I did not have to do so. On Windows XP and Windows 2000, Plug-and-Play recognized the card reader. If you do not do this step, you may get an error from the upgrader that no USB card could be found.
  4. Run the “FwUpdate.exe” file from the SCRx31CCID_fw5.22 folder, which also contains the 5.22 .bin firmware file. Click through the process until you get to a dialog with a black window/green text display of the current version (probably 4.13 or something else less than 5.22) and the upgrade version (5.22). Click the Continue button and let it run. It takes only a short time, but do not interrupt it, or you might wreck the reader.
  5. Test it – it should still work on Windows as before, but plugging it into a Linux PC with the CAC software loaded should show you happy things in /var/log/messages. As an aside, I use the Ryolog 1.3 SuperKaramba theme, which shows me my log in realtime (and color-coded), so I can easily watch events as they happen. Try logging into a CAC-restricted site with your card – it should work fine now.


  • On a VMWare Windows Guest, you may not see the reader in Linux unless you uncheck the reader listed under the VM menu, RemovableDevices, USB Devices. Ryolog will show the logged events, something along the lines of the reader being busy, unable to initialize the device.
  • In Windows, FwUpdate closes with an error that it found no SCM USB reader – try loading the v8.18 drivers first. Reboot if it still does not work.
  • FwUpdate gets to the black and green display dialog, but does not allow you to continue, stating that the USB reader is busy, and to try again later. Make sure all software that could possibly be using the reader is turned off, and try again.

Hope this helps!