A secure user
Jim Hranicky
jfh at cise.ufl.edu
Thu Apr 20 06:32:00 PDT 2006
> > I don't this this would be too hard to do -- does anyone on the
> > list think this is a good idea? If so, can anyone think of any
> > issues that would arise?
>
> The main thing with certificate-based authentication is that you need
> to provide a way to register/load the user certificates on the server
> and associate them with specific usernames...
Well, the idea is just to have to trust the local cups server's
client cert -- you just trust that when it reports an IPP user
it's telling the truth.
It would probably require adding new auth types, like
DomainSockAuth, SSLCertifiedAuth, etc. An exception for
localhost may be useful, e.g., if you're running samba on
the cups server. Either that or you'd have to add the cert
code to the cups client libraries, but again that's a much
bigger deal.
> Also, you'll want to have some way to validate the server's
> certificate before proceeding, as otherwise you might end up
> disclosing those certificates to an imposter.
Would the standard SSL cert verification (check against the
CA cert) not be enough?
> Finally, it would be nice if this worked with browsers - I think
> most browsers allow you to load user certificates into your browser
> for this purpose...
Are there browsers that support IPP printing, or can cert auth
be done in say, adding a Windows IPP printer? Again, though,
I'd like to avoid client-side changes as much as possible.
> All of these things should be in the CUPS STR database (if not,
> please add them :) for inclusion in a future CUPS release...
I can do that, but if after hashing out any details this looks like
a good idea I should be able to hack it in myself.
More information about the cups
mailing list