CAC Reader Linux Ubuntu Installation Guide

in CAC Readers & Hardware 8 min read

“`html

Why CAC Reader Support on Linux Matters

Installing a CAC reader on Linux Ubuntu has gotten complicated with all the fragmented documentation flying around. I’ve been through it. Military and government employees increasingly use Ubuntu and other Linux distributions for work, but the official documentation stops at Windows. Full stop. The Department of Defense doesn’t officially support non-Windows CAC implementations, which leaves Linux users in a strange position—we need the hardware to work, but nobody’s written the playbook.

Probably should have opened with this section, honestly. Most search results for “CAC reader Linux installation” either don’t exist or point to five-year-old forum posts with broken links. That gap is real. If you’re managing infrastructure at a government agency running Ubuntu workstations, or you’re a federal contractor whose IT department finally approved Linux, you’ve likely hit this wall: the reader hardware arrives, the drivers won’t install, and nobody in the official channels can help.

This guide exists because that scenario shouldn’t require you to guess. But what is successful CAC reader setup on Linux? In essence, it’s installing the right packages and configuring USB permissions. But it’s much more than that—it’s understanding kernel drivers, udev rules, and permission structures that Windows abstracts away from you entirely.

System Requirements and Compatibility Check

Not every Linux distribution handles CAC readers equally. Before you download anything, confirm your system will actually work.

Supported Linux Distributions

Ubuntu 20.04 LTS and newer—including 22.04 and 24.04—support CAC reader hardware without major hassles. Fedora 36 and later work well. CentOS 8 Stream supports it but requires extra steps. Debian Bookworm includes the necessary packages. Arch Linux users can compile from source, though that’s a different conversation entirely.

Kernel version matters more than you’d think. You need Linux kernel 5.4 or newer. Check yours by running uname -r in terminal. If you’re on anything released in the last three years, you’re fine — honestly, most people don’t need to worry about this part.

USB Driver and libusb Requirements

Your CAC reader communicates through USB, which means libusb needs to be installed and at the right version. Ubuntu includes libusb 1.0.26 or newer by default on recent versions. Fedora bundles it too. The real issue? It’s not having libusb—it’s having the right permissions to access it.

This is where most people fail. The USB device exists. The driver exists. But the regular user account can’t talk to it. That’s a udev rule problem, not a driver problem.

Quick Compatibility Checklist

  • Ubuntu 20.04 LTS or newer installed? ✓
  • Kernel version 5.4 or above? Run uname -r
  • libusb installed? Run dpkg -l | grep libusb (Ubuntu) or dnf list installed libusb (Fedora)
  • Physical USB port available and working? Plug in a USB flash drive to test
  • User account has sudo access? Required for udev rule installation

If all five items check out, you can proceed. If libusb isn’t showing up, we’ll install it in the next section.

Step-by-Step Installation for Ubuntu and Fedora

The installation path splits here based on your distribution’s package manager. I’ll cover both because many government shops run mixed Ubuntu and Fedora environments, and honestly, the differences matter.

Ubuntu Installation (apt-based systems)

Open a terminal and run these commands in order. Copy the entire block if you prefer:

sudo apt update
sudo apt install libusb-1.0-0 libusb-1.0-0-dev pcscd pcsc-tools opensc
sudo systemctl enable pcscd
sudo systemctl start pcscd

What you just installed: libusb-1.0-0 handles USB communication — that’s the foundation. pcscd is the smart card daemon, the actual service that manages your CAC. opensc provides the middleware for smart card authentication. pcsc-tools gives you diagnostic commands.

Now comes the critical part—udev rules. Your user needs permission to access the USB device without typing sudo every time. Create a new udev rule file:

sudo nano /etc/udev/rules.d/91-cac-reader.rules

Paste this content:

SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="076b", MODE="0666"
SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="0b97", MODE="0666"
SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="04e6", MODE="0666"

These vendor IDs cover the most common CAC reader hardware — Omnikey, SCM Microsystems, Gemalto. That’s where 90% of government deployments live. Save the file (Ctrl+O, Enter, Ctrl+X).

Reload udev:

sudo udevadm control --reload-rules
sudo udevadm trigger

Plug in your CAC reader now. It should be accessible.

Fedora Installation (dnf-based systems)

The packages have slightly different names, which is the main difference:

sudo dnf install libusb pcsc-lite pcsc-lite-ccid opensc
sudo systemctl enable pcscd
sudo systemctl start pcscd

The udev rules file is identical. Create it the same way in Fedora:

sudo nano /etc/udev/rules.d/91-cac-reader.rules

Use the exact same rule content as above. Then reload:

sudo udevadm control --reload-rules
sudo udevadm trigger

Permission Groups (if udev rules don’t work)

Sometimes the udev approach needs reinforcement. Add your user to the smartcard group:

sudo usermod -aG scard $(whoami)
newgrp scard

Log out and back in to apply the group change fully. I learned this the hard way after spending 45 minutes debugging a reader that was connected but inaccessible. Don’t make my mistake.

Testing Your CAC Reader Connection

Plug your CAC reader into a USB port. Open a terminal and run:

lsusb

You should see a line like this:

Bus 001 Device 005: ID 076b:6622 OmniKey AG CardMan 3621

The exact model name varies, but if you see your reader listed, the USB layer is working. That’s step one. Next, verify the smart card service sees it:

systemctl status pcscd

You should see “active (running)” in green. If it says stopped, run sudo systemctl start pcscd.

Now insert your CAC and run:

pcsc_scan

Successful output looks like this:

Reader 0 (OmniKey CardMan 3621 0)
Card state: Card inserted
ATR: (card identifier bytes)

That “Card inserted” message means your reader recognized the CAC. Success. If you see “Card removed” or no reader listed at all, move to the troubleshooting section.

Troubleshooting Linux-Specific Issues

Three problems hit most people. Here’s how to fix them without losing your mind.

Reader Shows in lsusb But Not in pcsc_scan

This means USB recognizes the hardware but the smart card service doesn’t. Check pcscd status first:

sudo systemctl status pcscd

If it’s stopped, start it. If it’s running but still not seeing the reader, check for missing drivers:

sudo dnf install pcsc-lite-ccid (Fedora)

or

sudo apt install pcsc-lite-ccid (Ubuntu)

The ccid package is crucial — it’s the actual driver layer between pcscd and USB smart card devices. After installing, restart pcscd:

sudo systemctl restart pcscd

Try pcsc_scan again.

Permission Denied When Accessing Reader

Error message: “permission denied” or “could not access reader.” The udev rules didn’t apply correctly. Verify the rules file exists:

cat /etc/udev/rules.d/91-cac-reader.rules

If nothing prints, you didn’t save the file. Create it again. If the file exists, unplug the reader, wait 5 seconds, plug it back in. The udev rules trigger on device insertion, not at boot.

Last resort — verify permissions on the USB device directly. Run:

lsusb -v 2>/dev/null | grep -A 5 "Card"

Then check the /dev/bus/usb path permissions. Honestly, this is rare if the udev rules are in place correctly.

SELinux Blocking the Connection (Fedora)

Fedora ships with SELinux enabled by default. It blocks smartcard access sometimes. Check if SELinux is the culprit:

sudo tail -f /var/log/audit/audit.log | grep -i smartcard

If you see denials, either create a policy or temporarily disable SELinux for testing:

sudo setenforce 0

Test the reader. If it works with SELinux off, the issue is confirmed. For production, don’t leave SELinux disabled — create a proper policy module instead. That’s beyond this guide’s scope, but Fedora’s documentation covers it well.

You now have a working CAC reader on Ubuntu or Fedora. The hardware functions exactly like it does on Windows, minus the polished installer and the official support channels.

“`

Mike Thompson

Mike Thompson

Author & Expert

Jason Michael, a U.S. Air Force C-17 pilot, is the editor of CAC Readers.com. Articles covering military life, benefits, and service-member topics are researched, fact-checked, and reviewed before publication. Read our editorial standards or send a correction at the editorial policy page.

143 Articles
View All Posts

You Might Also Like

Subscribe for Updates

Get the latest cac readers.com updates delivered to your inbox.