Cups SMB:// backend uses clear text password

Michael Sweet mike at easysw.com
Mon Feb 7 07:08:08 PST 2005


Anonymous wrote:
> Hi,
> 
> I would like to setup printing support in SUSE linux by accessing
> shared printers from a windows network. The idea is to make the SUSE
> linux system part of windows AD domain and use single-sign on. At the
> same time, access all the windows shared printers.
> 
> I see that cups backend smb:// is available for printing support, but
> password is stored in clear text. Its a security issue. Is there a
> work around or solution to this issue so that cupsd does not store
> the password in clear text. ?

This is a bug in how the authentication information is encoded in
the device URI.  Basically, at some point the Samba folks changed
the URI from:

      smb://username:password@workgroup/server/share

to:

      smb://workgroup/username:password@server/share

which breaks the URI sanitizing that CUPS has provided since 1.0
and does not conform to the RFC 3986 recommendations, making it
impossible for us to properly sanitize things.  The "/" character
is not valid in the userinfo portion of a URI and MUST be escaped
using %2F...  However, I don't believe that smbspool supports
character escapes (just checked - no, it does not), so it is
impossible to make the URI standards (and CUPS) compliant at this
time. (filed bug #2319 with the Samba folks for this...)

That said, we do not recommend using SMB as the print transport to
Windows systems.  Instead, use IPP or LPD which do not require
authentication credentials to be hardcoded.  If you must use SMB,
setup a non-priviledged "guest" account which only allows printing.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Document Software          http://www.easysw.com




More information about the cups mailing list