Beginner's problem with authentication policyin 1.3.0
John A. Murdie
john at cs.york.ac.uk
Fri Sep 21 08:06:30 PDT 2007
> John A. Murdie wrote:
> > ...
> > I've not seen an illustration anywhere of how this looks like to
> > the user of one of these untrusted clients - for instance in the
> > GUI of a Mac OS X client.
>
> Kerberized printing is not supported on Mac OS X 10.4.x.
(Sorry, of course; it still has CUPS 1.1.something.)
> > I obtained a MacBook with OS X 10.4.10 (and fully up-to-date with
> > software updates) to try this out. I decided to try an initial
> > Location directive which Allow-s all the subnets in use, and the
> > to have two Limit-s in the default Policy, one for the trusted
> > subnet and one for the untrusted subnet:
> >
> > <Limit Send-Document ...>
> > Allow from trusted
> > Order deny,allow
> > </Limit>
> >
> > <Limit Send-Document ...>
> > Allow from untrusted
> > Require user @OWNER @SYSTEM
> > Order deny,allow
> > </Limit>
>
> You really want to use:
>
> <Limit Send-Document ...>
> Order allow,deny
> Allow from trusted
> Require user @OWNER @SYSTEM
> AuthType Default
> Satisfy any
> </Limit>
>
> The "Satisfy any" part tells CUPS to only require authentication on
> the untrusted hosts/networks.
>
> In CUPS 1.2, the "AuthType Default" would need to be "AuthType Basic",
> "AuthType Digest", or "AuthType BasicDigest".
>
> And like I said, you can't do Kerberized CUPS printing on Mac OS X
> 10.4.x - even if you did install CUPS 1.3 on it, there is no GUI
> support and the Kerberos is too old to support delegated credentials
> properly...
>
> --
> ______________________________________________________________________
> Michael R Sweet Senior Printing System Engineer
I would hope at least to be able to lock out the untrusted clients (on a separate subnet from the trusted clients) if they cannot authenticate by the required means. Unfortunately, I have been unable to do this. I have in cupsd.conf an initial Location directive:
<Location />
Order allow,deny
Allow from trusted/255.255.254.0
Allow from unstrusted/255.255.254.0
Encryption Required
</Location>
('trusted' and 'untrusted' being the subnetwork address of the trusted and untrusted networks, respectively) which is followed by:
<Policy default>
<Limit Send-Document ...>
Order allow,deny
Allow from trusted
Require user @OWNER @SYSTEM
AuthType Basic
Satisfy any
</Limit>
yet this still permits the untrusted Mac OS X client to print (masquerading as any user known to the CUPS server). I've read "Managing Operations Policies" and understand that "operation policies can only add additional security restrictions to a request, never relax them" - but I'm adding them here.
With AuthType Basic, I'd expect the Mac to popup a dialogue box with a request to authenticate against the CUPS server. Even with AuthType Negotiate above, the Mac can still print. Either I've configured it wrongly, or it's not fail-safe.
(It is necessary for there to be basic "Allow from" directives in the Location section, or else nothing can interact with the server, of course. The Mac OS X client's Safari browser correctly handles the Encryption Required as we'd expect.)
John A. Murdie
More information about the cups
mailing list