[cups.general] authentication issues
Tomas Davidek
davidek at ipnp.troja.mff.cuni.cz
Thu Sep 17 04:24:40 PDT 2009
Hello,
I have few question regarding the authentication in CUPS. I am running
Debian stable (5.0.3) and CUPS 1.3.8.
The problem is that I want to setup a username/passwd that other people
can use for printer administration on the given server and I don't want
to give them root password on that server for obvious reasons.
I believe that this can be achieved by lppasswd and set AuthType to
Digest or BasicDigest. Here is what I did:
* introduced a user printadmin with lppasswd -a printadmin -g lp, made
sure group lp is in /etc/group and /etc/shadow
* set "SystemGroup lp" in /etc/cups/cupsd.conf, leaving the Require
@SYSTEM directive there
* set AuthType BasicDigest instead of AuthType Basic
* /etc/init.d/cups restart
Well, it does not work. When using http://localhost:631, I am asked for
the username/passwd, but only the root and its password work as before.
Seems like /etc/cups/passwd.md5 is not taken into account. When using
http://machinename:631 (still from the local machine), any time I access
the restricted area I immediately get connection forbidden.
Anyway, let's make it working first from localhost. Can someone please
provide some hints on the procedure described above and answer the
following questions?
1. what is the relation of the directives "SystemGroup something" and
"Require @SYSTEM" ? I also tried
"SystemGroup lp" and "Require @SYSTEM @lp", but it does not seem to work
either. Does the order in Require directive matter? Also, do I need to
introduce the username "printadmin" into /etc/passwd and/or /etc/shadow?
Does CUPS look at /etc/group, /etc/passwd, /etc/shadow ?
2. what is the difference between Digest and BasicDigest methods? And
how do they relate to the "Encryption Required" directive in cupsd.conf ?
3. what about encryption? The Web page
http://cups.org/documentation.php/doc-1.4/security.html suggest
encryption should be used (does that refer to "Encryption Required" or
to avoid sending plain username/passwd over the network like in AuthType
Basic ?), but at the same time the page recommends "Do not depend on
encryption for security when connecting to servers over the Internet or
untrusted WAN links".
Thanks a lot for any hint,
best regards
Tomas
E-mail : davidek at ipnp.troja.mff.cuni.cz,
Tomas.Davidek at cern.ch
More information about the cups
mailing list