[cups.general] Need encryption help & proposals for documentation

Michael R Sweet msweet at apple.com
Mon Jul 6 19:35:09 PDT 2009 

David H wrote:
> ...
> I want to criticize, that in the CUPS documentation, section "Using
> Network Printers", the SMB protocol isn't mentioned at all and the
> issue of authentication to a printserver isn't covered. It took me
> hours to find out, that I have to write
> scheme://username:password@server/printername (for example, scheme
> can be smb) to authenticate to a Windows printer (via samba) with a
> username and password, and I did NOT find this information in the
> CUPS documentation.

First, we avoid documenting OS- or software-specific stuff in the
CUPS online help, if for no other reason that we can't keep up with
all of the changes that happen (and not just in that software - every
Linux distro has its own patches, too...)  The SMB backend is provided
as part of the (separate) Samba software and its usage varies slightly
depending on the version of Samba you have installed.

Second, putting a username and password in the URI is not recommended,
and since CUPS 1.3 we have a proxy authentication mechanism that works
with both Mac OS X and Linux as long as you are using Tim's printer
status monitor applet.

Third, the username:password stuff is a standard part of every network
URI defined by the IETF.

Finally, CUPS allows third-party packages to add their own help to the
CUPS web interface - thus, Samba could install an SMB help file in
/usr/share/doc/cups/help and have it show up automagically.

So, you can expect that we will continue to not document the SMB
scheme or how to put a username and password in an SMB URI.  I
encourage you to file a bug against Samba (directly or via your Linux
distro of choice) to get this added.

> Now that I know how to authenticate to the Windows printer server via
> samba, the question arises how to authenticate in a _secure_ way as
> sometimes I have to authenticate over the internet. Is encryption
> secure enough?

Depends on who you ask and what your actual requirements are, but for
most things the answer is "yes".

> How do I encrypt the data send to the Windows
> printerserver?

Current Windows authentication information is not sent as clear-text
(hasn't been for at least 10 years now).

 > After a few more hours of wearisome searching, I found
> that there are Encryption and DefaultEncryption directives in
> client.conf (which I don't have) and cupsd.conf. Which one do I have
> to use to encrypt the data? client.conf or cupsd.conf? Or none of
> both?

Neither - Samba uses its own configuration file (smb.conf), and I'm
not sure there is a way to force encryption for non-AD (Kerberos)
sessions.  Best to ask this on the samba-user list (see samba.org for
subscription information...)

> The CUPS documentation surely isn't very detailed and one easily can
> get confused and therefore not made for beginners and people who want
> to know how things work.

Even worse when you read the documentation for the wrong software...

-- 
______________________________________________________________________
Michael R Sweet                        Senior Printing System Engineer

More information about the cups mailing list