A secure user

Michael Sweet mike at easysw.com
Thu Apr 20 07:09:13 PDT 2006


Jim Hranicky wrote:
>>> I don't this this would be too hard to do -- does anyone on the
>>> list think this is a good idea? If so, can anyone think of any
>>> issues that would arise?
>> The main thing with certificate-based authentication is that you need
>> to provide a way to register/load the user certificates on the server
>> and associate them with specific usernames...
> 
> Well, the idea is just to have to trust the local cups server's
> client cert -- you just trust that when it reports an IPP user
> it's telling the truth.
> 
> It would probably require adding new auth types, like
> DomainSockAuth, SSLCertifiedAuth, etc. An exception for
> localhost may be useful, e.g., if you're running samba on
> the cups server. Either that or you'd have to add the cert
> code to the cups client libraries, but again that's a much
> bigger deal.

You'll need to add it to the CUPS library anyways, specifically
in the cupsDoAuthentication() function in cups/auth.c and in
the http_setup_ssl() function in cups/http.c, otherwise it won't
work for all applications.

Reciprocal changes will need to be added to the cupsdAuthorize()
function in scheduler/auth.c, and possibly some hooks in the
encrypt_client() function in scheduler/client.c and the
cupsd_client_t structure in scheduler/client.h so that you can
get the client's certificate as passed in the SSL/TLS session
setup.

>> Also, you'll want to have some way to validate the server's
>> certificate before proceeding, as otherwise you might end up
>> disclosing those certificates to an imposter.
> 
> Would the standard SSL cert verification (check against the
> CA cert) not be enough?

Yes, but right now we don't even do that!  You'll find this
documented in the Server Security help file in CUPS 1.2, BTW...

>> Finally, it would be nice if this worked with browsers - I think
>> most browsers allow you to load user certificates into your browser
>> for this purpose...
> 
> Are there browsers that support IPP printing, or can cert auth
> be done in say, adding a Windows IPP printer? Again, though,
> I'd like to avoid client-side changes as much as possible.

You can't avoid client-side changes - *something* has to know to
send that certificate for the server to use.

AFAIK, no browser supports IPP printing directly; some do indirectly
via toolkit support of CUPS.  I don't know if Windows allows you to
provide a user certificate that is used when negotiating a SSL or
TLS session.

I'm looking at using certificates in a more general sense -
eliminating the need for a username/password challenge in the web
interface or any other HTTP access, which includes IPP operations.
Just doing it for a few specific paths will be a hack and will
probably be more difficult than the general solution (where hooks
already exist for this kind of thing...)

>> All of these things should be in the CUPS STR database (if not,
>> please add them :) for inclusion in a future CUPS release...
> 
> I can do that, but if after hashing out any details this looks like
> a good idea I should be able to hack it in myself.

Regardless, a STR will help us track this, including any code you
may want to contribute...

Thanks!

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Document Software          http://www.easysw.com




More information about the cups mailing list