[cups.general] CUPS and Kerberos Question

[Michael R Sweet]

Justin Funk wrote:
> I had a question regarding the documentation for implementing CUPS and 
> Kerberos.
> 
> The section titled "Implementation Information" says that CUPS 
> implements Kerberos over the service ipp. Does that mean I can only use 
> Kerberos when I have a printer connected through the ipp protocol? Or am 
> I able to use Kerberos Authentication on a printer that is connected via 
> the socket protocol?

For forwarded jobs, Kerberos currently only works for IPP and SMB
connected printers.

Shared printers can use Kerberos for the job spooling and the
socket "protocol" to send the data to the printer, just as you can
connect the printer to a USB port or use any other network protocol
to get the formatted print data on paper.

That said, putting printers on a public network can allow users to
bypass any authentication or access control you want to implement
via Kerberos.  Some printers support IP-based ACLs, allowing you to
restrict printing to one or more trusted computers, however these
ACLs can be spoofed quite easily.  A more secure configuration uses
direct connections via parallel and USB ports, or a separate
"private" network that is only accessible to the server(s).  Just
remember that your physical security will almost certainly be the
weak point - users can always walk up to printers and directly
connect a laptop to print... :(

-- 
______________________________________________________________________
Michael R Sweet                        Senior Printing System Engineer