How to set up DOD CAC Login with the Steam Deck:

This is assuming you have the internet connected to your Steam Deck, boot in SteamOS desktop mode, and have a docking station with the typical input devices needed for this task (keyboard, mouse, and CAC reader).

-I had to do some plugging and unplugging with my mouse/keyboard on my dock. It seems like I had to plug my USB device in the center USB port for the others to work.

A.The only real extra difference between Steam Deck using Steam OS and any other Arch based Linux Distro is that you need to set a root password to use with sudo. From the terminal (SteamOS/KDE - konsole):

1A) Run "passwd" and set a password for the deck user.

2A) Disable read only mode: sudo btrfs property set -ts / ro false

3A) Initialize the pacman keyring with the default Arch Linux keys:
sudo pacman-key --populate archlinux

4A) Now you can install any typical Arch Linux package like this:
sudo pacman -S *Package Name*

Now moving on to general Arch Linux steps for setting up your CAC:

B.The following would be the process for setting up the CAC middleware on any Arch Linux installation including Steam OS on the Steam Deck.

1B) Install generic USB Chip/Smart Card Interface Devices (CCID) and Open Smart Card (OpenSC):

sudo pacman -S ccid
sudo pacman -S opensc

-If your CAC reader doesn't have a keypad (typical USB reader) go to “/etc/opensc.conf” and append "enable_pinpad=false" to the file.

2B) Start and enable pcscd.service by running: pcscd

-I had some trouble with this step, apparently a file that belonged to the pcscd.socket wasn’t set up right. This was fixed by running:

sudo systemctl restart pcscd.socket

3B) That should be all you need. However you can verify your smart card reader by installing pcsc-tools and running pcsc_scan:

sudo pacman -S pcsc-tools
pcsc_scan

-You should then see the smart card reader you have plugged into your machine and its status such as if there's a smart card inserted. You can quit this application by hitting "Ctrl+C" which is the typical Linux command line way of closing a program.

4B) Install Firefox. Apparently Firefox installed with snap doesn't work with smart cards correctly. If you already have Firefox installed from a software center/store (SteamOS - Discover) just go into that software store GUI and uninstall it. Go back to your terminal and install Firefox using pacman:

sudo pacman -S firefox

C. Now we're going to configure Firefox to work with a smart card reader and then install the DOD certificates.

1C) Download the latest DOD CAC certificates (DOD PKI PKCS#7 CA). This may require googling "download latest dod root certificates" and finding it. As of this writing it's hosted on https://public.cyber.mil at this URL:

https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_v5-6_dod.zip

-Save file and extract the folder somewhere you can find it. I left mine in the downloads folder.

2C) Go to the Privacy & Security tab in Firefox. As of Firefox 109.0 64-bit you do that by clicking the 3 line icon on the upper right hand side of the screen then click in the drop down menu "Settings" and then clicking "Privacy & Security" on the left side of the screen.

-Scroll down to "Certificates" and click "View Certificates".

-Under "Authorities" click "Import" to go to the Certificate Manager.

-Go to where you extracted those DOD CAC Certs (I left it in downloads), enter the folder, and select "Certificates_PKCS7_v5.6_DoD.der.p7b". Then click "Open".

-Check all the boxes to trust DoD Root CA 2 for all the purposes (Trust this CA to identify websites and Trust this CA to identify email users). Click "OK" and then click OK in the Certificate Manager window.

3C) Now we're going to configure Firefox to use your smart card reader. Click "Security Devices" to open the Device Manager.

-Click "Load" type in a Module Name in the field. I typed "OpenSC" in the field but I've seen it suggested to enter "CAC Module" or you can probably leave what the field defaulted to which in my case was "New PKCS#11 Module".

-Now hit "Browse" to the right of the "Module Filename" and find "opensc-pkcs11.so" or if you're a Dual-Use CAC holder you may want to use "onepin-opensc-pkcs11.so". This can probably be found in a couple of places: "/lib/pkcs11/" folder, "/usr/lib64/pkcs11" folder, out loose in the "/usr/lib" folder, but I used the opensc-pkcs11.so in "/lib64/pkcs11/". I think that file in all those (and more) locations are basically the same.

-Click "Open" after you highlighted the opensc-pkcs11.so file. Click "OK", click "OK" on the Device manager window, and leave the settings tab.

-Now go to a DOD CAC enabled website and login with your CAC! Keep in mind that a lot of these websites were set up for Microsoft browsers (Edge,previously Internet Explorer) on Windows OS specifically. You should be able to click some button to move on to the login page. Some of the typical sites are:

https://webmail.apps.mil/mail/ (E-Mail, at least for Army 365 Outlook email anyway)

https://mypay.dfas.mil/ (DFAS MyPay, for your LES)

____________________________________________________________________________
Note: a ".so" is a Shared Object or ".o" which is an "Object" are Dynamic Libraries of the Unix/Linux variety which are dynamically linked at runtime. The Windows equivalent is a Dynamically Linked Library ".dll".

An ".a" file is an Archive file which is a Static Library that is linked by a linker program when compiling. The Windows equivalent is a ".lib".

Some googling can tell you all about that but basically a statically linked library makes a bigger executable file (typically an ".exe" in Windows or a ".bin" Binary file in UNIX/Linux) which are compiled programs. The other kind of programs that can natively be ran in an OS are scripts (".sh" for a Linux Shell or a ".bat" which is a Windows Batch file). Other programs have other kinds of scripts (".py" for Python, ".php" for PHP, ".m" for MATLAB, ".pl" for Perl, etc). Scripted programs can use libraries too.