Beginner's problem with authentication policyin 1.3.0

John A. Murdie john at cs.york.ac.uk
Fri Sep 21 08:06:30 PDT 2007 

> John A. Murdie wrote:
> > ...
> > I've not seen an illustration anywhere of how this looks like to
>  > the user of one of these untrusted clients - for instance in the
>  > GUI of a Mac OS X client.
>
> Kerberized printing is not supported on Mac OS X 10.4.x.

(Sorry, of course; it still has CUPS 1.1.something.)

> > I obtained a MacBook with OS X 10.4.10 (and fully up-to-date with
>  > software updates) to try this out. I decided to try an initial
>  > Location directive which Allow-s all the subnets in use, and the
>  > to have two Limit-s in the default Policy, one for the trusted
>  > subnet and one for the untrusted subnet:
> >
> >  <Limit Send-Document ...>
> >     Allow from trusted
> >     Order deny,allow
> >   </Limit>
> >
> >   <Limit Send-Document ...>
> >     Allow from untrusted
> >     Require user @OWNER @SYSTEM
> >     Order deny,allow
> >   </Limit>
>
> You really want to use:
>
>      <Limit Send-Document ...>
>        Order allow,deny
>        Allow from trusted
>        Require user @OWNER @SYSTEM
>        AuthType Default
>        Satisfy any
>      </Limit>
>
> The "Satisfy any" part tells CUPS to only require authentication on
> the untrusted hosts/networks.
>
> In CUPS 1.2, the "AuthType Default" would need to be "AuthType Basic",
> "AuthType Digest", or "AuthType BasicDigest".
>
> And like I said, you can't do Kerberized CUPS printing on Mac OS X
> 10.4.x - even if you did install CUPS 1.3 on it, there is no GUI
> support and the Kerberos is too old to support delegated credentials
> properly...
>
> --
> ______________________________________________________________________
> Michael R Sweet                        Senior Printing System Engineer

I would hope at least to be able to lock out the untrusted clients (on a separate subnet from the trusted clients) if they cannot authenticate by the required means. Unfortunately, I have been unable to do this. I have in cupsd.conf an initial Location directive:

<Location />
  Order allow,deny
  Allow from trusted/255.255.254.0
  Allow from unstrusted/255.255.254.0
  Encryption Required
</Location>

('trusted' and 'untrusted' being the subnetwork address of the trusted and untrusted networks, respectively) which is followed by:

<Policy default>
  <Limit Send-Document ...>
    Order allow,deny
    Allow from trusted
    Require user @OWNER @SYSTEM
    AuthType Basic
    Satisfy any
  </Limit>

yet this still permits the untrusted Mac OS X client to print (masquerading as any user known to the CUPS server). I've read "Managing Operations Policies" and understand that "operation policies can only add additional security restrictions to a request, never relax them" - but I'm adding them here.

With AuthType Basic, I'd expect the Mac to popup a dialogue box with a request to authenticate against the CUPS server. Even with AuthType Negotiate above, the Mac can still print. Either I've configured it wrongly, or it's not fail-safe.

(It is necessary for there to be basic "Allow from" directives in the Location section, or else nothing can interact with the server, of course. The Mac OS X client's Safari browser correctly handles the Encryption Required as we'd expect.)

John A. Murdie

More information about the cups mailing list