Sentinel

Enterprise Identity Manager for Linux. Simplifies DoD Smart Card (CAC/PIV) operations with a modern TUI.

Python 3.10+TUIDoD PKI

Features

System Diagnostics & Compliance

  • Real-time Monitoring: Visual status of PC/SC service, Middleware, and Reader.
  • Auto-Remediation: One-click fix for dead smart card services.
  • STIG Compliance: Built-in RHEL 9 security baseline checks.

Identity Management

  • Visual Dashboard: Cardholder Name, Agency, and Token Info at a glance.
  • PIN Management: Check retry counts, change PIN, or unblock via PUK.
  • Identity Mapping: Extracts Principal Names (UPN) for local user mapping.

Certificate Validation

  • AIA Chasing: Dynamically fetches missing intermediate certificates (Fixes Error 20).
  • Authenticated Fetch: Uses CAC PIN for mutual TLS in restricted networks.
  • Mega-Bundle: One-click install of the complete DoD Trust Chain.

Digital Signing & Operations

  • PDF Signing: Digitally sign documents with hardware token.
  • SSH Integration: Automates SSH Public Key export and agent adding.
  • Browser Config: Auto-configures Firefox and Chrome databases.

Prerequisites

Ensure you have a standard Linux environment (Fedora, RHEL, Ubuntu, Debian, Arch).

Required Hardware & Tools

  • USB Smart Card Reader + Valid ISO 7816 Smart Card
  • pcscd (Daemon) and opensc (Middleware)
  • Python 3.10+
  • git and curl

Installation

Option A: Automatic Recommended

Clones the repo, creates a virtual environment, installs dependencies, and sets up the alias.

curl -fsSL https://snl.codefxr.com/install | bash

Option B: Manual

git clone https://github.com/CodeFXR/Sentinel.git
cd Sentinel

# 1. Create Environment
python3 -m venv .venv
source .venv/bin/activate

# 2. Install Dependencies
pip install textual pyhanko cryptography

# 3. Run
python main.py

Usage

Restart your terminal and type:

snl

Keyboard Navigation

KeyAction
TabCycle through inputs and buttons
EnterActivate button or submit form
Ctrl + CForce Quit

Troubleshooting

Card Reader Not Detected

Ensure your USB reader is plugged in before starting the app.

If the "Service" LED in Sentinel is red, click the "Fix Service" button inside the app.

Error 20: Unable to get local issuer

System is missing an Intermediate CA certificate.

  1. Go to Validation tab.
  2. Enter PIN (recommended).
  3. Click Validate & Fix to fetch missing certs via AIA.

Uninstalling

rm -rf ~/.sentinel

Then remove the 'alias snl=...' line from your .bashrc/.zshrc