[cups.general] authentication issues
Michael Sweet
msweet at apple.com
Thu Sep 17 11:06:46 PDT 2009
On Sep 17, 2009, at 3:57 AM, Tomas Davidek wrote:
> ...
> I believe that this can be achieved by lppasswd and set AuthType to
> Digest or BasicDigest. Here is what I did:
> * introduced a user printadmin with lppasswd -a printadmin -g lp, made
> sure group lp is in /etc/group and /etc/shadow
> * set "SystemGroup lp" in /etc/cups/cupsd.conf, leaving the Require
> @SYSTEM directive there
> * set AuthType BasicDigest instead of AuthType Basic
> * /etc/init.d/cups restart
OK, you want to set the DefaultAuthType to BasicDigest; restarting
cups is unnecessary if you use the web interface or cupsctl utility,
e.g.:
cupsctl SystemGroup=lp DefaultAuthType=BasicDigest
If you try changing the AuthType directive, you'll have to do it in
several places...
> 1. what is the relation of the directives "SystemGroup something" and
> "Require @SYSTEM" ? I also tried
> "SystemGroup lp" and "Require @SYSTEM @lp", but it does not seem to
> work
> either. Does the order in Require directive matter? Also, do I need to
> introduce the username "printadmin" into /etc/passwd and/or /etc/
> shadow?
> Does CUPS look at /etc/group, /etc/passwd, /etc/shadow ?
For BasicDigest, CUPS does not use any of the system-supplied user or
group sources.
> 2. what is the difference between Digest and BasicDigest methods? And
> how do they relate to the "Encryption Required" directive in
> cupsd.conf ?
Digest uses the HTTP Digest authentication method, which is not
universally supported in web browsers but doesn't need session-level
encryption since the password is never sent as cleartext. BasicDigest
uses HTTP Basic authentication which *is* universally supported but
*does* need session-level encryption because the password is sent as
cleartext.
"Encryption Required", which isn't strictly needed in CUPS 1.3 since
we use encryption over non-local connections whenever authenticating
(even for Digest), just forces all communications to be encrypted.
> 3. what about encryption? The Web page
> http://cups.org/documentation.php/doc-1.4/security.html suggest
> encryption should be used (does that refer to "Encryption Required" or
> to avoid sending plain username/passwd over the network like in
> AuthType
> Basic ?), but at the same time the page recommends "Do not depend on
> encryption for security when connecting to servers over the Internet
> or
> untrusted WAN links".
Right, basically some encryption is better than no encryption. The
warning is there because CUPS (specifically libcups) currently does
not support certification verification or revocation, which leaves you
vulnerable to man-in-the-middle attacks, particularly on untrusted
networks. For web browser usage, all of the major browsers do the
right thing and will tell the user when a self-signed certificate for
a server changes.
In the grand scheme of things the threat is pretty low (somebody needs
to either hijack your IP or DNS server to get your client to send
requests to their server), and the highest when printing over multiple
links as is typical for Internet usage. If you have to worry about
this on an internal LAN you have bigger issues...
___________________________________________________
Michael Sweet, Senior Printing System Engineer
More information about the cups
mailing list