17 March 2018

Unifi Controller

I have a small home/ranch network that is built on Ubiquiti hardware. An Edgerouter Lite as the entry point with Unifi switches and access points in the house and barn and shop. The barn and shop access points are linked in with a couple of Nanobeams. I use the Ubiquiti Unifi Controller to manage the Unifi components.

The Controller runs on Docker on my home workstation, a Fedora 27 based system. I do not run the Controller 24x7, only starting it periodically to check system status and do any needed updates.

The Controller runs under my user ID on the system. I use Jacob Alberty's unifi-docker image for the controller (https://hub.docker.com/r/jacobalberty/unifi/).

The shell script used to start the Controller is:

#!/bin/bash
# run unifi controller
#
# version 3
#
uUID=$(id -u)
uGID=$(id -g)
docker run --rm --init -p 8080:8080 -p 8443:8443 -p 3478:3478/udp //
   -p 10001:10001/udp -e TZ=America/Pacific //
   -e RUNAS_UID0=false -e UNIFI_UID=$uUID -e UNIFI_GID=$uGID //
   -v $PWD/unifi-vol:/unifi:Z -v $PWD/run:/var/run/unifi:Z   //
   --name unifi jacobalberty/unifi:latest

The :Z postfix on the volume settings is needed for correct selinux behaviour.  uUID and gUID pick up the user and group ID of my account at run time.

Hope this helps someone.

Brad

16 March 2018

Linux, UEFI, and Samsung 960 evo firmware update

I have a fairly new Fedora workstation build - ASUS x370 Pro motherboard, a few SSDs, and a Samsung 960 EVO NVMe as the primary drive.

I decided to configure the system to use UEFI rather than the legacy boot process so the drives are set up with gpt partitions, etc. This all works fairly nicely.

I noticed that Samsung released new firmware for the 960 and started to search for a suitable non-Windows process to apply the firmware on a linux system.  Search results seemed to indicate that Samsung used to provide a linux version of Magician firmware update software but that was no longer available.

I finally noticed on Samsung's firmware update site (http://www.samsung.com/semiconductor/minisite/ssd/download/tools/) that there is a section called Samsung Firmware Updates for Windows Users. And in that section is an NVMe SSD Firmware Update Guide which has you use UNebootin to create a bootable USB and install the firmware utility which is packaged as an ISO.

I followed the directions but this UEFI motherboard would not boot from the USB.

Instead, I used tips from https://www.codefull.org/2016/03/create-bootable-usb-flash-drive-from-iso-image-with-uefi-support/ and did the following:

1. Plug USB in;
2. Using gparted
    2a. Remove all partitions;
    2b. create a new partition table with gpt;
    2c. create new partition to fill the whole device using FAT32;
    2d. add a boot flag to the partition;
3. Use dd to copy the Samsung firmware ISO to the USB
   3a. sudo dd if=Samsung_SSD_960_EVO_3B7QCXE7.iso of=/dev/sde bs=4M
4. Boot from the USB to update the firmware

Hope this helps someone


28 November 2017

Fedora 27 PIV Update

The original post is essential still correct. I did a dnf based system update to Fedora 26 converting the system to Fedora 27. After the update completed, I started Firefox, opened the security device settings dialog and recreated the device that links in the pkcs11.so library.


28 June 2017

Fedora 26 PIV Update

The original instructions describing how to enable PIV support in Firefox on Fedora still work for Fedora 26. See also a recent article in Fedora Magazine that describes the US Department of Defence smartcard which are abbreviated as CAC instead of PIV.

23 October 2015

Fedora 22 PIV Updates

Just an update to my earlier post on using federal PIV cards with fedora. I have Fedora 22 installed. I tried he coolkey library again but it did not work. The instructions in the prior post are still reasonably valid (fc22 versions of rpms needed).

Brad

08 August 2014

Using a PIV card on Fedora and Firefox

Personal Identity Verification (PIV) cards are used where I work as part of a standard 2-factor authentication system that is used to log into your PC and all agency web applications. These are effectively the same as the Common Access Cards (CAC) used by the Department of Defence.

I wanted to be able to use this card from my home workstation running Fedora to access work web sites without having to cart home my work laptop. I could not find any single set of explicit instructions on the web to do this so I thought I would document the steps I followed. These steps were greatly informed by this post: https://help.ubuntu.com/community/CommonAccessCard.

At a high level the process requires you to (a) identify the certificate used on your PIV card for web site authentication, (b) to export all intermediate and root certificates for that authentication certificate and add them to Firefox so that it can validate the authentication certificate, (c) configure your Fedora system and Firefox to recognize the card reader and process the PIV card. 

The basic steps I followed are:

  1. Install necessary RPMs (as of this date):  opensc-0.13.0-5.fc20.x86_64, pcsc-tools-1.4.17-8.fc20.x86_64. There may be others but these are key.
  2. Get a supported card reader. Sometime ago I bought an OmniKey 3121 which works. A more current list of supported readers can be found at http://pcsclite.alioth.debian.org/ccid/section.html
  3. I used Internet Explorer on my work computer to export the root authority and intermediate certificates for the authentication certificate on my PIV. See http://forge.mil/downloads/How_to_add_CAC_reader_to_Firefox.pdf (pdf; new window) for good instructions. The root certificate will not necessarily be the same as the links above display, but the procedure for finding these certificates is simple. In IE 11, select Internet Options | Content | Certificates | Personal. Then use the Intended Purpose drop down just above the tabs to select Authentication. This will reduce the list to one or two certs. The instructions on the PDF can be followed to extract and export the necessary root and intermediate certificates.
  4. Transfer the exported certificates to your Fedora computer. Start Firefox and follow the instructions in http://forge.mil/downloads/How_to_add_CAC_reader_to_Firefox.pdf to import them into Firefox.
  5. Configure Firefox to recognize the card reader. Firefox Preferences | Advanced | Certificates | Security Devices. Click on Load to open a dialog box with a title of "Load PKCS#11 Module". Enter any name in the Module Name field (eg Lincpass). In the Module filename field browse to and select /usr/lib64/pkcs11/opensc-pkcs11.so. Save and close out of Preferences. Prior to selecting opensc-pkcs11.so I tried to use the corresponding coolkey library but, while it recognized the card reader, would not read the card.
  6. Close Firefox completely.
  7. Insert card in reader and validate that the card can be recognized by using pcsc_scan.
  8. Open Firefox and open a PIV card protected web site. Click the link for authenticating with the PIV card. Firefox will prompt for the card pin if everything is working and you should have access to the site.

References
https://help.ubuntu.com/community/CommonAccessCard