top of page
Writer's pictureBarry Ling

Enable Device Redirection on Linux VDI

Updated: Aug 11, 2022


You may need to redirect different types of device to the Ubuntu VDI during daily use. This sharing will show you how to prepare the Ubuntu master image for device redirection.


Setup C compiler (Essential procedure)


C compiler is essential to setup device redirection. Many drivers require the compiler for setup. Please follow the steps below to install the GCC compiler on the Ubuntu.

  • Logon on to the Ubuntu.

  • Open the Terminal.

  • Run following commands to install C compiler package.

    • sudo apt update

    • sudo apt install make

    • sudo apt install gcc

    • sudo apt install cmake


  • Run command "gcc --version". Make sure GCC is installed on the Ubuntu.



1. USB Devices


To enable the USB redirection, the first thing required is installing the VHCI driver on Ubuntu.


The source code of the driver can be found on following link.


Logon to the Ubuntu Desktop. Download the latest driver web browser and place it to the Ubuntu Desktop Downloads folder. This sharing is using vchi-hcd 1.15 as example.


Before setting up the drivers, you have to identify the path of a patching file included in the Horizon Agent package. The patching file will be required during the setup.


If you were following my pervious post (https://www.tech-fellow.com/post/creating-full-clone-desktop-with-ubuntu#viewer-73imt) for setting up the Horizon Agent, the patch should be locating somewhere like ~/Downloads/VMware-horizonagent-linux-x86_64-2111.1-8.4.0-19066680/resources/vhci/patch/vhci.patch.


  • Logon to the Ubuntu.

  • Open the Terminal.

  • Run following set of commands to install the driver.

    • cd ~/Downloads

    • sudo tar -xzvf vhci-hcd-1.15.tar.gz

    • cd vhci-hcd-1.15

    • sudo patch -p1 < ~/Downloads/VMware-horizonagent-linux-x86_64-2111.1-8.4.0-19066680/resources/vhci/patch/vhci.patch

  • sudo make clean

  • sudo make

  • sudo make install


** Please be reminded that if your Linux kernel changes to a new version, you must recompile and reinstall the VHCI driver, but you do not need to reinstall Horizon for Linux. To avoid this, you can also add Dynamic Kernel Module Support (DKMS) to the VHCI drivers as following.

  • cd ~/Downloads

  • sudo apt install linux-headers-`uname -r`

  • sudo apt install dkms

  • sudo cp -r vhci-hcd-1.15 /usr/src/usb-vhci-hcd-1.15

  • sudo touch /usr/src/usb-vhci-hcd-1.15/dkms.conf

  • sudo nano /usr/src/usb-vhci-hcd-1.15/dkms.conf


Add the following contents to the dkms.conf file.

PACKAGE_NAME="usb-vhci-hcd"
PACKAGE_VERSION=1.15
MAKE_CMD_TMPL="make KVERSION=$kernelver"

CLEAN="$MAKE_CMD_TMPL clean"

BUILT_MODULE_NAME[0]="usb-vhci-iocifc"
DEST_MODULE_LOCATION[0]="/kernel/drivers/usb/host"
MAKE[0]="$MAKE_CMD_TMPL"

BUILT_MODULE_NAME[1]="usb-vhci-hcd"
DEST_MODULE_LOCATION[1]="/kernel/drivers/usb/host"
MAKE[1]="$MAKE_CMD_TMPL"

AUTOINSTALL="YES"

Add and build this VHCI driver in dkms by following commands.


  • sudo dkms add usb-vhci-hcd/1.15

  • sudo dkms build usb-vhci-hcd/1.15

  • sudo dkms install usb-vhci-hcd/1.15


The next step will be modifying the VMware config file with corresponding setting.

  • Edit the config file by command "sudo nano /etc/vmware/config".

  • Add one more line of "viewusb.IncludeFamily" to the config file.

  • Adding the device family you allowed for redirection. Following example is enabling all HID USB except keyboard and mouse for redirection.


*** You may enable other device types with same syntax. Following is a full list of devices family for reference.

​audio

Any audio-input or audio-output device.

audio-in

Audio-input devices such as microphones.

​audio-out

Audio-output devices such as loudspeakers and headphones.

bluetooth

Bluetooth-connected devices.

comm

Communications devices such as modems and wired networking adapters.

hid

​Human interface devices excluding keyboards and pointing devices.

hid-bootable

Human interface devices that are available at startup time, excluding keyboards and pointing devices.

imaging

​Imaging devices such as scanners.

keyboard

Keyboard device.

mouse

Pointing device such as a mouse.

other

Family not specified.

pda

​Personal digital assistants.

physical

Force feedback devices such as force feedback joysticks.

printer

Printing devices.

security

Security devices such as fingerprint readers.

smart-card

​Smart-card devices.

storage

​Mass storage devices such as flash drives and external hard disk drives.

unknown

​Family not known.

vendor

Devices with vendor-specific functions.

video

​Video-input devices.

wireless

​Wireless networking adapters.

wusb

​Wireless USB devices.




2. Smart card redirection


If you want to enable smart card redirection, you should follow the steps below to install the smart card reader software and corresponding configuration on the Ubuntu.


To set up smart card direction for desktops running Ubuntu, you should first integrate the Ubuntu virtual machine with an Active Directory domain.


Please follow the sharing below if you haven't joined the Ubuntu to AD yet.




2a. Obtain root CA certificate


Installing a root CA for smart card service is essential for redirection to work. We will need the root certificate of AD domain for the purpose. This root certificate can be obtained through a MS CA server integrated with the AD domain.


If you don't have a CA server on your domain, you may refer Microsoft document for setting up the CA server.


The first step will be exporting the root CA certificate from AD domain.

  • Logon to the Microsoft CA server.

  • Open Command Prompt.

  • Export the root cert by command "sudo certutil -ca.cert c:\Path_to_Store_File\ca_root.cer".

  • Upload the exported root cert to the Ubuntu.



2b. Install root CA certificate


Next will be go back to the Ubuntu master image for further configuration.

  • Logon to the Ubuntu.

  • Open the Terminal.

  • Change directory to the path storing the root cert.

  • Install required libraries by command:

    • sudo apt-get install -y pcscd pcsc-tools pkg-config libpam-pkcs11 opensc libengine-pkcs11-openssl libnss3-tools

  • Convert it to PEM format by command:

    • sudo openssl x509 -inform der -in ./ca_root.cer -out ./ca_root.pem

  • Initialize the certificate database by following commands.

    • sudo mkdir /etc/pki/nssdb

    • sudo certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i ./ca_root.pem

  • Copy the root CA cert to /etc/pam_pkcs11/cacerts directory by following commands.

    • sudo mkdir -p /etc/pam_pkcs11/cacerts

    • sudo cp ./ca_root.pem /etc/pam_pkcs11/cacerts

  • Create a pkcs11 hash file by following commands.

    • sudo chmod a+r ./ca_root.pem

    • sudo pkcs11_make_hash_link

  • Verify that the expected certificate is loaded successfully by command "sudo certutil -L -d /etc/pki/nssdb".

  • Similar result as follow will be shown.

  • Verify that the expected libraries are added successfully by command "sudo modutil -dbdir /etc/pki/nssdb -list".

  • Similar result as follow will be shown.

Listing of PKCS #11 Modules
–-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
–-----------------------------------------------------------


2b. Install smart card PIV driver


To support the PIV feature of the smart card, it is required to add the PIV smart card driver as well. The following steps are using Yubikey PIV version 2.3.0 as example. You may reference your product documentation if you are using different product.

  • Download the PIV driver from Yubikey and place the file into Downloads folder.

  • Open the Terminal.

  • Run following commands to setup the PIV drivers

    • cd ~/Downloads/

    • sudo apt install cmake build-essential libssl-dev check gengetopt help2man libtool pkg-config libpcsclite-dev

    • sudo tar -zxvf yubico-piv-tool-2.3.0.tar.gz

    • cd yubico-piv-tool-2.3.0

    • sudo mkdir build

    • cd build

    • sudo cmake ..

    • sudo make

    • sudo make install



2c. Adding PIV drivers to nssdb


After making the CA cert ready, next will be installing the smart card PIV drivers on Ubuntu. This sharing I am using Yubikey as an example.


First you need to copy the PIV driver files to /usr/lib/ by following commands.

  • cd /usr/local/lib/

  • sudo cp libykcs11.a /usr/lib/

  • sudo cp libykcs11.so /usr/lib/

  • sudo cp libykcs11.so.2 /usr/lib/

  • sudo cp libykcs11.so.2.3.0 /usr/lib/

  • sudo cp libykpiv.a /usr/lib/

  • sudo cp libykpiv.so /usr/lib/

  • sudo cp libykpiv.so.2 /usr/lib/

Then you can add the drivers to the nssdb.

  • Change directory to the path storing the root cert. Run following commands.

    • sudo cp /usr/local/lib/libykpiv.so /usr/lib/

    • sudo certutil -N -d /etc/pki/nssdb

    • sudo certutil -A -n rootca -i ca_root.pem -t "CT,CT,CT" -d /etc/pki/nssdb

    • sudo modutil -dbdir /etc/pki/nssdb/ -add "piv card" -libfile /usr/lib/libykcs11.so

  • Verify that the expected libraries are added successfully by command "sudo modutil -dbdir /etc/pki/nssdb -list".

  • Similar result as follow will be shown.

Listing of PKCS #11 Modules
–-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. piv card 2.0
        library name: /usr/lib/libcmP11.so
         slots: There are no slots attached to this module
        status: loaded
–-----------------------------------------------------------


2d. Configure pam_pkcs11 library


After applied the PIV library, there also have corresponding configuration on pam_pkcs11 library.

  • Copy and create configuration file by command:

    • sudo mkdir /etc/pam_pkcs11

    • sudo cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf

  • Edit the configuration file by command:

    • sudo nano /etc/pam_pkcs11/pam_pkcs11.conf

  • Edit the configuration file as shown in following:

use_pkcs11_module = mysc;                            
        
pkcs11_module mysc {                                 
              module = /usr/lib/libcmP11.so;         
              description = "LIBCMP11";               
              slot_num = 0;                           
              ca_dir = /etc/pki/cacerts;       
              nss_dir = /etc/pki/nssdb;        
              cert_policy = ca;                       
}                                                    
...
use_mappers = cn, null;                        
...
mapper cn {
      debug = false;
      module = internal;
      # module = /lib/pam_pkcs11/cn_mapper.so;
      ignorecase = true;
      mapfile = file:///etc/pam_pkcs11/cn_map;         
      # mapfile = "none";
}
  • Edit the configuration file by command:

    • sudo nano /etc/pam_pkcs11/cn_map

  • Edit the configuration file as shown in following:

Common name -> Login ID
  • Edit the configuration file by command:

    • sudo nano /etc/pam.d/gdm-password

  • Edit the configuration file as shown in following. Please place the pam_pkcs11.so authorization line before the common-auth line

#%PAM-1.0 
auth    requisite       pam_nologin.so 
auth    required        pam_succeed_if.so user != root quiet_success 
auth sufficient pam_pkcs11.so                           
@include common-auth 
auth    optional        pam_gnome_keyring.so 
@include common-account



2e. Download and compile PCSC


The next step will be installing the smart card reader. The package and version must be exactly pcsclite 1.8.8. Other versions are not compatible with Horizon Agent

  • Run following set of commands to instal the pcsc 1.8.8.

    • cd ~/Downloads

    • sudo apt-get install -y git autoconf automake libtool flex libudev-dev

    • sudo git clone https://salsa.debian.org/rousseau/PCSC.git

    • cd PCSC/

    • sudo git checkout -b pcsc-1.8.8 1.8.8

    • sudo ./bootstrap

    • sudo ./configure --prefix=/usr --sysconfdir=/etc --libdir=/lib/x86_64-linux-gnu/ CFLAGS="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security" LIBS="-ldl" LDFLAGS="-Wl,-Bsymbolic-functions -Wl,-z,relro" CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2"

    • sudo make

    • sudo make install


  • Run command "sudo systemctl enable pcscd.service".

  • Test the installation by command "sudo pcsc_scan".

  • Similar result as follow will be shown.





3. Reinstall Horizon Agent with Device Redirection.


At last, you will have to reinstall the Horizon Agent with device redirection enabled.


"sudo ./install_viewagent.sh -m yes -U yes -A yes".


Following table is the most common parameters to enable different features on Horizon Linux VDI.


Full details of parameter can be found on following link.

-a yes|no

​Install or bypass audio input redirection support. Default is yes.

-f yes|no

Install or bypass support of the cryptographic modules designed for Federal Information Processing Standards (FIPS) 140-2. Default is no. For more information, see the FIPS 140-2 Mode description in Features of Horizon Linux Desktops.

-j

JMS SSL keystore password. By default, installer generates a random string.

​​​​-m yes|no

Install or bypass the smart card redirection support. Default is no.

​-r yes|no

Restart the system automatically after installation. Default is no.

-s

Self signed cert subject DN. By default, installer uses Blast.

-C yes|no

Install or bypass Clipboard Redirection support. Default is yes.

-F yes|no

​Install or bypass CDR support. Default is yes.

​-M yes|no

Upgrade the Linux Agent to managed or unmanaged agent. Default is yes.

-S yes|no

​Install or bypass Single Sign-on (SSO) support. Default is yes.

​-T yes|no

Install or bypass True Single Sign-on (True SSO) support. Default is no.

​-U yes|no

Install or bypass USB support. Default is no.



----- END -----



1,386 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page