[cups.general] Re: How to authenticate from printing software?
Colin Walters
walters at redhat.com
Fri Aug 27 09:18:51 PDT 2004
On Fri, 2004-08-27 at 11:03 -0400, Michael Sweet wrote:
> Colin Walters wrote:
> Sigh... You are passing a file over a network connection (local or
> remote, doesn't matter), and once that file has been accepted by
> the server, the job is created and the app can go away.
Yes. But there is a big difference between a session CUPS daemon
running on localhost versus a remote server over a network which may be
bandwidth-limited or go down in the middle of a job.
> > ...
> >>I'd say the same, but I'm not sure you understand that the lifetime
> >>of a job lasts beyond the life of an application in IPP.
> >
> >
> > Um, certainly I understand that, since I implemented eggcups, which
> > provides job status feedback independent of the application.
>
> OK, I think I see what you are trying to do now. You want a thin
> layer between the system cupsd and the application which provides
> job monitoring and support for remote authentication.
Yes.
> Somehow I think you might be better off just providing a GUI
> application (think kprinter, gtklp, etc.) which talks directly
> to the (possibly remote) server and puts itself in the background
> to show a job status window to the user.
That is more or less what we do.
> >>>For MTAs, or for CUPS? I very seriously doubt it is used for many MTA
> >>>setups, since for example with Kerberos, short of actually shipping the
> >>>user's Kerberos credentials over the network (violating several
> >>>principles of Kerberos), you can't do it. In the case of plaintext
> >>>logins, you need to ship the user's unencrypted password.
> >>
> >>With CUPS for sure,
> >
> >
> > How does it work then?
>
> You setup multiple servers to act as proxies to tunnel print jobs
> between networks. E.g. system A queues job 123 on system B, which
> sends it to C, which sends it to D, which sends it to the printer.
>
> Right now you have to hardcode the user:pass in the device URI
> when setting up the proxy/tunnel servers,
Right, so you're authenticating the servers, not the users.
> however in the future
> it will be possible for upstream servers to notify the job
> originator when authentication is required.
So in other words, it doesn't work with CUPS now, so I don't see how "it
is already used in a LOT of corporate and government environments".
> > I can imagine, it must have been a proprietary protocol on top of SMTP.
>
> Not really, it basically looked like a moderation system - all outgoing
> email had to be authenticated first with the local SMTP server, the
> mail was sent and held on the final server, and then we approved it
> (with more username/password stuff) via a UI at the final server.
Right...not really SMTP anymore :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.cups.org/pipermail/cups/attachments/20040827/3c947038/attachment.bin>
More information about the cups
mailing list