Wednesday, October 7, 2015

CAC on Firefox using Ubuntu 15.04

After a couple years away form CAC on Linux, it's time to revisit how to install a DOD CAC reader for Firefox under Ubuntu 15.10.

Very good instructions are on the Ubuntu Help pages. This guide clarifies a few vague elements, and reorganizes the information to help you troubleshoot.

There are five simple steps:
  • Get an appropriate card reader
  • Install the card reader software (pcsd)
  • Test the card, reader, and software
  • Install cackey
  • Install the DOD certs and point Firefox to the card reader

The Firefox extension requires cackey, cackey requires pcsd, pcsd requires hardware to detect. We will follow best practice for Debian/Ubuntu and install the dependences first, in the right order.

Get A Card Reader

There's nothing to add here. The Ubuntu Help page says it all.

Install Card Reader Software

sudo apt-get install pcscd pcsc-tools

The key software you need is the pcsc daemon, and it's libpcsclite1 dependency. pcsc-tools is handy for testing the connection in the next step.

Test the card reader and software

Insert your CAC card and run:


As shown in the Ubuntu Help page, pcscd will clearly show you if your card reader and card are detected.

Install cackey

The cackey library provides access to the cryptographic and certificate functions of the CAC card.

1) You need to know if your Ubuntu system is a 32-bit or 64-bit install. Don't trust a sticker of what you remember - checking takes but a moment:

uname -i

If the result is 'i386' or similar, you are running a 32-bit system. Look for a download labeled 'i386'.
If the result is 'x86_64' or similar, you are running a 64-bit system. Look for a download labeled 'amd64'

2) There are two places to download the latest cackey package from: (CAC required) (non-CAC)

3) Download the latest cackey .deb package. Be sure to choose between 32/64 bit properly - the wrong package will happily install...but won't work.

4) Bug workaround for 64-bit only: Cackey tries to install to the /usr/lib64 directory, which probably doesn't exist on your system. Simply create it. This bug does not affect 32-bit users, who can safely ignore this entire paragraph.

5) Finally, install the downloaded cackey deb using the 'dpkg --install' command.

1) I'm running a 64-bit system.
3) I downloaded cackey_0.7.5-1_amd64.deb to my Downloads directory.
Then I installed the deb using:

sudo mkdir /usr/lib64        ## Step 4 - 64-bit bug workaround
sudo dpkg --install ~/Downloads/cackey_0.7.5-1_amd64.deb    ## Step 5

Install DOD Certificates and Point Firefox to the Card Reader

Happily, has a Firefox add-on that does all this for you!

1) Simply download the latest 'dod_configuration-X.X.X.xpi' file from (non-CAC).

2) Quit Firefox

3) Double-click on the dod_configuration-X.X.X.xpi file you downloaded (it might be in your Downloads directory). Firefox will restart, and offer to install the add-on. Go ahead and install it.


Try your favorite CAC website (like AKO or OWA) and see if the site works, and if the site communicates properly with your card.

Thursday, September 3, 2015

The best DebConf 15 videos

I simply cannot take time off work to attend DebConf, so each year I watch the videos instead. It took almost a month, thanks to the back-to-school rush at work, but I finally got through the sessions I wanted to see.

Here are my highlights from DebConf 15:

Cool Stuff

Creating A More Inviting Environment For Newcomers New Experiences From MoM SoB Teammetrics - A detailed discussion of how a mature team with tapering contributions re-energized itself with new enthusiasts. How they were recruited, mentored, trained, and finally assigned key roles in the team. Lots of discussion of mentoring strategies and the costs of mentoring (less time for the work) from the developer/maintainer perspective. Lots of good ideas for any mature team, and thoroughly applicable to Ubuntu teams too.

Linux in the City of Munich AKA LiMux - There has been a lot of FUD written about one of the largest public conversions to an open-source platform, and it was great to see an actual insider talking about the project. Worth a watch.

Lightning Talks 2 - The first Lightning Talk was a proposal to add a new service to Debian. The service tests all uploaded packages for many known faults (using valgrind, infer, etc.), and automatically files bug reports on the faults. This should provide a large number of real bite-sized bugs for drive-by patches, and corresponding hefty improvement in code quality. Most cool.

Under the hood

Your Systemd Tool Box - Dissecting And Debugging Boot And Services - This is a great walk-through of the new (to me) tools. Had a terminal window open alongside to try each of the tools. Saved the video for a refresh, it's a lot to digest in one sitting.

Systemd How We Survived Jessie And How We Will Break Stretch - Fantastic discussion of coming systemd features: Persistent interface names, networkd, kdbus, and more. Also great discussion of how to get involved around the edges.

Dpkg The Interface - A presentation by the current maintainer, explaining how he keeps dpkg stable and the future roadmap. Since Snappy uses dpkg (but not apt), that roadmap is important! I have used dpkg for a decade, but never thought about all the bits of it I never see....

Keeping Free Software Free

Debians Central Role In The Future Of Software Freedom - A presentation by the President of the Software Freedom Conservancy (SFC), explaining the problems they see, their strategies to attack those problems, and how they try to effectively challenge GPL violations. A bit of Canonical-bashing in this one at a couple points (some deserved, some not).

At 23:30, it introduces the Debian Copyright Aggregation Project, where Debian contributors can opt to revocably assign their copyright to SFC, and can also permit the SFC to enforce those copyrights. This is one strategy SFC is pursuing to fight both CLAs and license violations.

Wednesday, September 2, 2015

You should be using Find-a-Task

Find-a-Task is the Ubuntu community's job board for volunteers.

Introduced in January 2015, Find-a-Task shows fellow volunteers the variety of tasks and roles available.

The goal of Find-a-Task is for a volunteer, after exploring the Ubuntu Project, to land on a team or project's wiki page. They are interested, ready to join, and ready to start learning the skills and tools. 

However, it only works if *you* use it, too.

Try it.

Take a quick look, and see the variety of volunteer roles available. We have listings for many different skills and interests, including many non-technical tasks.

Is your team listed?

Hey teams, are you using Find-a-Task to recruit volunteers?
  • Are your team roles listed?
  • Are they accurate?
  • Is your landing page welcoming and useful to a new volunteer?

When it's time to update your postings on the job board, simply jump into Freenode IRC: #ubuntu-community-team.

Gurus: Are your pointing Padwans toward it?

Find-a-Task is a great place to send new enthusiasts. No signup, no login, no questions. It's a great way to survey the roles available in the big, wide, Ubuntuverse, and get new enthusiasts involved in a team.

It's also handy for experienced enthusiasts looking for a new challenge, of course.
  • If you're active in the various forums, refer new enthusiasts to Find-a-Task.
  • Add it to your signature.
  • If you know a Find-a-Task success story, please share.

Improving Find-a-Task

Ideas to increase usage of Find-a-Task are welcome.
Ideas on how to improve the tool itself are also welcome.
Please share your suggestions to improve Find-a-Task on the ubuntu-community-team mailing list.

Thursday, January 22, 2015

Is your team using Find-a-Task?

Find-a-Task is the Ubuntu community's job board for volunteers.


Is your team listed?

It's the place for volunteers to find new, interesting, fulfilling ways to contribute to Ubuntu.
It's the place for them to discover your team or project.

Get listed today!

We have made it super easy to get your team onto Find-a-Task: No login, no editing. Just jump into #ubuntu-community-team with a volunteer role in mind:

  • Category: Programming
  • Role: QML De-frobber
  • Very short description: Get rid of QML Frob with the Ubuntu Frobbing Team
  • Landing page:

That's can list technical roles, too.

Nah, I don't want volunteers

If the old way is working for you, and your team has lots of spare capacity, then more power to you! Please share your secret sauce.

But if you could use a few more hands to grab a work item or two, a Find-a-Task listing is fast and simple.

You really should, you know.

Tuesday, January 13, 2015

Introducing Ubuntu Find-A-Task

The Ubuntu Community website has an awesome new service: Find-A-Task

It's a referral service - it helps volunteers discover teams and tasks that match their interests.

  • Link to it!
  • Refer new enthusiasts toward it!
  • Advertise your teams and projects on it!

Give it a try and see how it can work for your team or project.

How do I get my team listed?

So easy and so fast.
  1. What volunteer role do you want to advertise?
  2. What's a very short, exciting description of the role?
  3. Which Find-A-Task paths do you think this role is appropriate for? 
  4. Create a great landing page on the wiki. (example)
    • Drop by #ubuntu-community-team and let us know.
      • Role: Frobishers, 
      • Description: "Help Frobnicators add fabulous Frob!"
      • Path: One, in the Coding and Development submenu
      • Landing URL

    Your landing page:

    This is a volunteer's first impression of your team. Make it shine.

    When volunteers show up at your wiki page, they are already interested. They want to know how to set up, who to contact, and how to get started on their first easy work item. They want instructions and details.

    If you don't provide what they want, they may move on to their next choice. Find-A-Task makes it easy for them to move on.


    Tremendous thanks to:

    Friday, December 19, 2014

    Wordpress and LAMP in an LXC Container


    I need to test some html running in Wordpress.
    But I don't use Wordpress...obviously.

    In Linux, that's easy to fix. Just install Wordpress.
    Oops, not so easy: Wordpress pulls in an entire LAMP stack with it.
    That's a lot to pollute my laptop with just to do some testing.

    Containers to the rescue!
    Let's spin up a container, install LAMP and Wordpress inside it, run the tests, then destroy the container.


    The Router

    I'm going to open a whole new port on my router's firewall for this, so others can help me test.

    On the router, I want to forward port 112233 to the similar port on the server.

    On the server, I want to forward port 112233 to the container's port 80. (That part is later)

    Creating the container

    Thanks the the amazing Stephane Graber for his detailed instructional series on how to create and use a container This is a slightly different setup than he did. Instead of installing directly on, say, a laptop, I'm installing the container onto a server that I access via ssh.

    Three moving pieces: Laptop (me), Server (headless), Container (added to server)

    So, from Laptop, I ssh into Server normally.

    On SERVER:
    sudo apt-get install lxc               # Install the container system
    sudo lxc-create -t ubuntu-cloud -n c1  # Download and install a 195MB cloud image of Ubuntu 14.10
    sudo lxc-start -n wp1 -d               # Boot the image in the background (name is 'wp1')
    sudo lxc-info -n wp1                   # Discover the IP of the image
        Name:           c1
        State:          RUNNING
        IP:            # <-- Ooh, there is the IP
    ping                        # Check network connectivity on the container
        PING ( 56(84) bytes of data.
        64 bytes from icmp_seq=1 ttl=64 time=0.081 ms
        64 bytes from icmp_seq=2 ttl=64 time=0.085 ms
    # Forward port 112233 to the container
    sudo iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 112233 -j DNAT --to-destination
    sudo iptables -A FORWARD -p tcp -d --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    Set up LAMP and Wordpress within the container

    The container is installed, started, and responds to ping.

    On SERVER:
    sudo lxc-console -n wp1    # Login to the console of wp1 (username: ubuntu, password: ubuntu)

    A couple words about the container.
    I'm going to skip the part where you would delete the 'ubuntu' user and add your own admin user and password. But you should do it.
    Also, two pieces of information you should have handy before going farther.
    1. Server's IP address on the LAN (mine is
    2. The real, fully qualified domain name ( that readers on the internet will use
    The FQDN will be used to generate the MySQL account for the blog, and the create the wordpress config file. The LAN address will be used to link to the same accounts.

    Special thanks to the Ubuntu community for putting together this fantastic tutorial about how to install wordpress in Ubuntu.

    sudo apt-get install mysql-server wordpress   # 49 packages, 28MB download

    Let's jump over to Laptop for a moment and check that Server's port forwarding and Container's apache service are working: Open a browser window, and look for You should get the apache default page. Success! Okay, now back to Container:

    sudo ln -s /usr/share/wordpress /var/www/html/wordpress   # Make Wordpress accessible from apache
    # Create mysql account, and link it to Wordpress
    sudo gzip -d /usr/share/doc/wordpress/examples/setup-mysql.gz
    sudo bash /usr/share/doc/wordpress/examples/setup-mysql -n freds_blog_fred_com  
    # Prevent a Wordpress error (can't locate config file) from within the LAN
    # by linking the LAN addr to existing FQDN config file
    sudo ln /etc/wordpress/ /etc/wordpress/config-
    <ctrl+a, q> to exit the console

    Use Wordpress

    The setup is complete. Since I'm on my LAN, I point my Laptop browser to and I get the Wordpress setup screen.

    Outside, on the big wide internet, I would point it to (er, that's an example - you already know that's not my real blog).

    Wordpress is ready for my data.

              Bye, Container!

    Destroying the container

    This is one of the true joys of LXC

    # On SERVER
    sudo lxc-stop -n wp1
    sudo lxc-destroy -n wp1

    And all the work is wiped out forever....

    Remember to clean up:
    • Uninstall lxc from the server
    • Delete the iptables rules on the server
    • Close the port on the router firewall

    Saturday, December 13, 2014

    Say, what are you doing this afternoon?

    Bus Stop - Under The Rain by Leonid Afremov
    Here's a happy little afternoon project for new users trying to play with a new
    language or script, and getting their feet in the open-source ecosystem.

    Your phone's handy weather app depends upon the goodwill of a for-profit data provider, and their often-opaque API (14 degrees? Where was it observed? When?) That's a shame because most data collection is paid for by you, the taxpayer.

    Let's take the profit-from-data out of that system. Several projects have tried to do this before (including libgweather), but each tried to do too much and replicate the one-data-provider-to-rule-them-all model. And most ran aground on that complexity.

    Here's where you come in

    One afternoon, look up your weather service's online data sources. And knock together a script to publish them in a uniform format.

    Here's the one I did for the United States:
    Worldwide METAR observation sites
    US DOD and NOAA weather radars
    US Forecast/Alert zones

    • Looking for data on non-METAR (non-airport) observation stations, weather radar sites, and whatever forecast and alert areas your country uses.

    • Use the same format I did: Lat (deg.decimal), Lon (deg.decimal), Location Code, Long Name. Use the original source's data, even if it's wrong. Area and zones should use the lat/lon of the centroid.

    • The format is simple CSV, easy to parse and publish.

    • Publish on GitHub, for easy version control, permalinking, free storage, and uptime.

    • Here's the key: Your data must be automatically-updated. Regularly, your program must check the original source and update your published version. How I did it with a cron job. Publish both the data and your method on GitHub. 

    • When you have published, drop me an e-mail so I can link to your data and source.

    If you do it right, one afternoon to setup your country's self-updating database. Not a bad little project, you learn a little, and you help make the world a better place.

    My country doesn't have online weather data

    Sorry to hear that. You're missing some great stuff.

    If you live in a country with a reasonably free press and reasonably fair elections, make a stink about it. You are probably already paying for it through taxes, why can't you have it?

    If you live somewhere else, then next time you have a revolution or coup, add 'open data' to the long list of needed reforms.

    What will this accomplish?

    This will create a free, sustainably updated, uniform, crowdsourced set of accurate worldwide data that will be easy to compile into a single global database. If you drop out, your online code will ensure another volunteer can step in.

    This is one fundamental tool that other free-weather projects have lacked. And any weather project can use this.

    The global database of locations is really small by most database standards. Small enough to easily fit on a phone. Small enough to be bundled with apps that can request data directly from original sources...once they can look up the correct source to use.

    How will this change the world?

    It's about simple tools that make
    it easy to create free, cool software.
    And it's about ensuring free access to data you already paid for.

    Not bad for one afternoon's contribution.