You may need to redirect different types of device to the Ubuntu VDI during daily use. This sharing will show you how to prepare the Ubuntu master image for device redirection.
Setup C compiler (Essential procedure)
C compiler is essential to setup device redirection. Many drivers require the compiler for setup. Please follow the steps below to install the GCC compiler on the Ubuntu.
Logon on to the Ubuntu.
Open the Terminal.
Run following commands to install C compiler package.
sudo apt update
sudo apt install make
sudo apt install gcc
sudo apt install cmake
Run command "gcc --version". Make sure GCC is installed on the Ubuntu.
1. USB Devices
To enable the USB redirection, the first thing required is installing the VHCI driver on Ubuntu.
The source code of the driver can be found on following link.
Logon to the Ubuntu Desktop. Download the latest driver web browser and place it to the Ubuntu Desktop Downloads folder. This sharing is using vchi-hcd 1.15 as example.
Before setting up the drivers, you have to identify the path of a patching file included in the Horizon Agent package. The patching file will be required during the setup.
If you were following my pervious post (https://www.tech-fellow.com/post/creating-full-clone-desktop-with-ubuntu#viewer-73imt) for setting up the Horizon Agent, the patch should be locating somewhere like ~/Downloads/VMware-horizonagent-linux-x86_64-2111.1-8.4.0-19066680/resources/vhci/patch/vhci.patch.
Logon to the Ubuntu.
Open the Terminal.
Run following set of commands to install the driver.
cd ~/Downloads
sudo tar -xzvf vhci-hcd-1.15.tar.gz
cd vhci-hcd-1.15
sudo patch -p1 < ~/Downloads/VMware-horizonagent-linux-x86_64-2111.1-8.4.0-19066680/resources/vhci/patch/vhci.patch
sudo make clean
sudo make
sudo make install
** Please be reminded that if your Linux kernel changes to a new version, you must recompile and reinstall the VHCI driver, but you do not need to reinstall Horizon for Linux. To avoid this, you can also add Dynamic Kernel Module Support (DKMS) to the VHCI drivers as following.
cd ~/Downloads
sudo apt install linux-headers-`uname -r`
sudo apt install dkms
sudo cp -r vhci-hcd-1.15 /usr/src/usb-vhci-hcd-1.15
sudo touch /usr/src/usb-vhci-hcd-1.15/dkms.conf
sudo nano /usr/src/usb-vhci-hcd-1.15/dkms.conf
Add the following contents to the dkms.conf file.
PACKAGE_NAME="usb-vhci-hcd"
PACKAGE_VERSION=1.15
MAKE_CMD_TMPL="make KVERSION=$kernelver"
CLEAN="$MAKE_CMD_TMPL clean"
BUILT_MODULE_NAME[0]="usb-vhci-iocifc"
DEST_MODULE_LOCATION[0]="/kernel/drivers/usb/host"
MAKE[0]="$MAKE_CMD_TMPL"
BUILT_MODULE_NAME[1]="usb-vhci-hcd"
DEST_MODULE_LOCATION[1]="/kernel/drivers/usb/host"
MAKE[1]="$MAKE_CMD_TMPL"
AUTOINSTALL="YES"
Add and build this VHCI driver in dkms by following commands.
sudo dkms add usb-vhci-hcd/1.15
sudo dkms build usb-vhci-hcd/1.15
sudo dkms install usb-vhci-hcd/1.15
The next step will be modifying the VMware config file with corresponding setting.
Edit the config file by command "sudo nano /etc/vmware/config".
Add one more line of "viewusb.IncludeFamily" to the config file.
Adding the device family you allowed for redirection. Following example is enabling all HID USB except keyboard and mouse for redirection.
Reinstall Horizon Agent with procedure on last section "Reinstall Horizon Agent with Device Redirection".
*** You may enable other device types with same syntax. Following is a full list of devices family for reference.
audio | Any audio-input or audio-output device. |
audio-in | Audio-input devices such as microphones. |
audio-out | Audio-output devices such as loudspeakers and headphones. |
bluetooth | Bluetooth-connected devices. |
comm | Communications devices such as modems and wired networking adapters. |
hid | Human interface devices excluding keyboards and pointing devices. |
hid-bootable | Human interface devices that are available at startup time, excluding keyboards and pointing devices. |
imaging | Imaging devices such as scanners. |
keyboard | Keyboard device. |
mouse | Pointing device such as a mouse. |
other | Family not specified. |
pda | Personal digital assistants. |
physical | Force feedback devices such as force feedback joysticks. |
printer | Printing devices. |
security | Security devices such as fingerprint readers. |
smart-card | Smart-card devices. |
storage | Mass storage devices such as flash drives and external hard disk drives. |
unknown | Family not known. |
vendor | Devices with vendor-specific functions. |
video | Video-input devices. |
wireless | Wireless networking adapters. |
wusb | Wireless USB devices. |
2. Smart card redirection
If you want to enable smart card redirection, you should follow the steps below to install the smart card reader software and corresponding configuration on the Ubuntu.
To set up smart card direction for desktops running Ubuntu, you should first integrate the Ubuntu virtual machine with an Active Directory domain.
Please follow the sharing below if you haven't joined the Ubuntu to AD yet.
2a. Obtain root CA certificate
Installing a root CA for smart card service is essential for redirection to work. We will need the root certificate of AD domain for the purpose. This root certificate can be obtained through a MS CA server integrated with the AD domain.
If you don't have a CA server on your domain, you may refer Microsoft document for setting up the CA server.
The first step will be exporting the root CA certificate from AD domain.
Logon to the Microsoft CA server.
Open Command Prompt.
Export the root cert by command "sudo certutil -ca.cert c:\Path_to_Store_File\ca_root.cer".
Upload the exported root cert to the Ubuntu.
2b. Install root CA certificate
Next will be go back to the Ubuntu master image for further configuration.
Logon to the Ubuntu.
Open the Terminal.
Change directory to the path storing the root cert.
Install required libraries by command:
sudo apt-get install -y pcscd pcsc-tools pkg-config libpam-pkcs11 opensc libengine-pkcs11-openssl libnss3-tools
Convert it to PEM format by command:
sudo openssl x509 -inform der -in ./ca_root.cer -out ./ca_root.pem
Initialize the certificate database by following commands.
sudo mkdir /etc/pki/nssdb
sudo certutil -A -d /etc/pki/nssdb -n "root CA cert" -t "CT,C,C" -i ./ca_root.pem
Copy the root CA cert to /etc/pam_pkcs11/cacerts directory by following commands.
sudo mkdir -p /etc/pam_pkcs11/cacerts
sudo cp ./ca_root.pem /etc/pam_pkcs11/cacerts
Create a pkcs11 hash file by following commands.
sudo chmod a+r ./ca_root.pem
sudo pkcs11_make_hash_link
Verify that the expected certificate is loaded successfully by command "sudo certutil -L -d /etc/pki/nssdb".
Similar result as follow will be shown.
Verify that the expected libraries are added successfully by command "sudo modutil -dbdir /etc/pki/nssdb -list".
Similar result as follow will be shown.
Listing of PKCS #11 Modules
–-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
–-----------------------------------------------------------
2b. Install smart card PIV driver
To support the PIV feature of the smart card, it is required to add the PIV smart card driver as well. The following steps are using Yubikey PIV version 2.3.0 as example. You may reference your product documentation if you are using different product.
Download the PIV driver from Yubikey and place the file into Downloads folder.
Open the Terminal.
Run following commands to setup the PIV drivers
cd ~/Downloads/
sudo apt install cmake build-essential libssl-dev check gengetopt help2man libtool pkg-config libpcsclite-dev
sudo tar -zxvf yubico-piv-tool-2.3.0.tar.gz
cd yubico-piv-tool-2.3.0
sudo mkdir build
cd build
sudo cmake ..
sudo make
sudo make install
2c. Adding PIV drivers to nssdb
After making the CA cert ready, next will be installing the smart card PIV drivers on Ubuntu. This sharing I am using Yubikey as an example.
First you need to copy the PIV driver files to /usr/lib/ by following commands.
cd /usr/local/lib/
sudo cp libykcs11.a /usr/lib/
sudo cp libykcs11.so /usr/lib/
sudo cp libykcs11.so.2 /usr/lib/
sudo cp libykcs11.so.2.3.0 /usr/lib/
sudo cp libykpiv.a /usr/lib/
sudo cp libykpiv.so /usr/lib/
sudo cp libykpiv.so.2 /usr/lib/
Then you can add the drivers to the nssdb.
Change directory to the path storing the root cert. Run following commands.
sudo cp /usr/local/lib/libykpiv.so /usr/lib/
sudo certutil -N -d /etc/pki/nssdb
sudo certutil -A -n rootca -i ca_root.pem -t "CT,CT,CT" -d /etc/pki/nssdb
sudo modutil -dbdir /etc/pki/nssdb/ -add "piv card" -libfile /usr/lib/libykcs11.so
Verify that the expected libraries are added successfully by command "sudo modutil -dbdir /etc/pki/nssdb -list".
Similar result as follow will be shown.
Listing of PKCS #11 Modules
–-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. piv card 2.0
library name: /usr/lib/libcmP11.so
slots: There are no slots attached to this module
status: loaded
–-----------------------------------------------------------
2d. Configure pam_pkcs11 library
After applied the PIV library, there also have corresponding configuration on pam_pkcs11 library.
Copy and create configuration file by command:
sudo mkdir /etc/pam_pkcs11
sudo cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf
Edit the configuration file by command:
sudo nano /etc/pam_pkcs11/pam_pkcs11.conf
Edit the configuration file as shown in following:
use_pkcs11_module = mysc;
pkcs11_module mysc {
module = /usr/lib/libcmP11.so;
description = "LIBCMP11";
slot_num = 0;
ca_dir = /etc/pki/cacerts;
nss_dir = /etc/pki/nssdb;
cert_policy = ca;
}
...
use_mappers = cn, null;
...
mapper cn {
debug = false;
module = internal;
# module = /lib/pam_pkcs11/cn_mapper.so;
ignorecase = true;
mapfile = file:///etc/pam_pkcs11/cn_map;
# mapfile = "none";
}
Edit the configuration file by command:
sudo nano /etc/pam_pkcs11/cn_map
Edit the configuration file as shown in following:
Common name -> Login ID
Edit the configuration file by command:
sudo nano /etc/pam.d/gdm-password
Edit the configuration file as shown in following. Please place the pam_pkcs11.so authorization line before the common-auth line
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
auth sufficient pam_pkcs11.so
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
2e. Download and compile PCSC
The next step will be installing the smart card reader. The package and version must be exactly pcsclite 1.8.8. Other versions are not compatible with Horizon Agent
Run following set of commands to instal the pcsc 1.8.8.
cd ~/Downloads
sudo apt-get install -y git autoconf automake libtool flex libudev-dev
sudo git clone https://salsa.debian.org/rousseau/PCSC.git
cd PCSC/
sudo git checkout -b pcsc-1.8.8 1.8.8
sudo ./bootstrap
sudo ./configure --prefix=/usr --sysconfdir=/etc --libdir=/lib/x86_64-linux-gnu/ CFLAGS="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security" LIBS="-ldl" LDFLAGS="-Wl,-Bsymbolic-functions -Wl,-z,relro" CPPFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2"
sudo make
sudo make install
Run command "sudo systemctl enable pcscd.service".
Test the installation by command "sudo pcsc_scan".
Similar result as follow will be shown.
Reinstall Horizon Agent with procedure on last section "Reinstall Horizon Agent with Device Redirection".
3. Reinstall Horizon Agent with Device Redirection.
At last, you will have to reinstall the Horizon Agent with device redirection enabled.
Refer the Horizon agent installation sharing (https://www.tech-fellow.com/post/creating-full-clone-desktop-with-ubuntu#viewer-73imt) But replace the Horizon Agent installation command with following parameters.
"sudo ./install_viewagent.sh -m yes -U yes -A yes".
Following table is the most common parameters to enable different features on Horizon Linux VDI.
Full details of parameter can be found on following link.
-a yes|no | Install or bypass audio input redirection support. Default is yes. |
-f yes|no | Install or bypass support of the cryptographic modules designed for Federal Information Processing Standards (FIPS) 140-2. Default is no. For more information, see the FIPS 140-2 Mode description in Features of Horizon Linux Desktops. |
-j | JMS SSL keystore password. By default, installer generates a random string. |
-m yes|no | Install or bypass the smart card redirection support. Default is no. |
-r yes|no | Restart the system automatically after installation. Default is no. |
-s | Self signed cert subject DN. By default, installer uses Blast. |
-C yes|no | Install or bypass Clipboard Redirection support. Default is yes. |
-F yes|no | Install or bypass CDR support. Default is yes. |
-M yes|no | Upgrade the Linux Agent to managed or unmanaged agent. Default is yes. |
-S yes|no | Install or bypass Single Sign-on (SSO) support. Default is yes. |
-T yes|no | Install or bypass True Single Sign-on (True SSO) support. Default is no. |
-U yes|no | Install or bypass USB support. Default is no. |
----- END -----
Comments