[cups-devel] lpr and authentication for dnssd backend on Mac

Michael Sweet msweet at apple.com
Fri Sep 9 09:14:53 PDT 2016


Andreas,

> On Sep 9, 2016, at 11:42 AM, Andreas Lobbes <Andreas.Lobbes at thinprint.com> wrote:
> 
> Hello Michael,
> 
> is there another, "more serious" way, just using the CUPS interface (either binary or API) to print nonblocked,
> for the special case that related authentication info is already stored in the "Keychain"?

I don't think there is a way to use the CUPS APIs for this, since keychain access is (naturally) limited.

You may be able to use the PrintCore framework (PMPrinterPrintFile? or something like that) which will use the same helper service to securely create the print job.

> I suppose that Mac-specific print APIs (AppKit, Core) also use the CUPS API.

Yes, but there is a level of indirection to have applications submit print jobs through a trusted XPC service with access to the keychain.

> When having a look into the print control file of such a job (being print by a Mac application like Safari, Preview),
> I find only the username, but no password information. And I guess, there is also no password in the ps output?!
> Any idea, how these Mac binaries pass related authentication information to CUPS?

Using the "auth-info" operation attribute in the Create-Job request.  There is a trusted user-space XPC service (PrintUITool) that sends the Create-Job request with this attribute - that same service is also responsible for popping up the credentials window, etc.

(Proxy credentials are stored by cupsd in a separate file in the spool directory and are not part of the IPP Job object attributes in the job control file...  They are also deleted as soon as the job reaches a terminating state...)

_________________________________________________________
Michael Sweet, Senior Printing System Engineer




More information about the cups-devel mailing list