[cups.general] authentication issues

Michael Sweet msweet at apple.com
Thu Sep 17 11:06:46 PDT 2009 

On Sep 17, 2009, at 3:57 AM, Tomas Davidek wrote:
> ...
> I believe that this can be achieved by lppasswd and set AuthType to
> Digest or BasicDigest. Here is what I did:
> * introduced a user printadmin with lppasswd -a printadmin -g lp, made
> sure group lp is in /etc/group and /etc/shadow
> * set "SystemGroup lp" in /etc/cups/cupsd.conf, leaving the Require
> @SYSTEM directive there
> * set AuthType BasicDigest instead of AuthType Basic
> * /etc/init.d/cups restart

OK, you want to set the DefaultAuthType to BasicDigest; restarting  
cups is unnecessary if you use the web interface or cupsctl utility,  
e.g.:

     cupsctl SystemGroup=lp DefaultAuthType=BasicDigest

If you try changing the AuthType directive, you'll have to do it in  
several places...

> 1. what is the relation of the directives "SystemGroup something" and
> "Require @SYSTEM" ? I also tried
> "SystemGroup lp" and "Require @SYSTEM @lp", but it does not seem to  
> work
> either. Does the order in Require directive matter? Also, do I need to
> introduce the username "printadmin" into /etc/passwd and/or /etc/ 
> shadow?
> Does CUPS look at /etc/group, /etc/passwd, /etc/shadow ?

For BasicDigest, CUPS does not use any of the system-supplied user or  
group sources.

> 2. what is the difference between Digest and BasicDigest methods? And
> how do they relate to the "Encryption Required" directive in  
> cupsd.conf ?

Digest uses the HTTP Digest authentication method, which is not  
universally supported in web browsers but doesn't need session-level  
encryption since the password is never sent as cleartext. BasicDigest  
uses HTTP Basic authentication which *is* universally supported but  
*does* need session-level encryption because the password is sent as  
cleartext.

"Encryption Required", which isn't strictly needed in CUPS 1.3 since  
we use encryption over non-local connections whenever authenticating  
(even for Digest), just forces all communications to be encrypted.

> 3. what about encryption? The Web page
> http://cups.org/documentation.php/doc-1.4/security.html suggest
> encryption should be used (does that refer to "Encryption Required" or
> to avoid sending plain username/passwd over the network like in  
> AuthType
> Basic ?), but at the same time the page recommends "Do not depend on
> encryption for security when connecting to servers over the Internet  
> or
> untrusted WAN links".

Right, basically some encryption is better than no encryption. The  
warning is there because CUPS (specifically libcups) currently does  
not support certification verification or revocation, which leaves you  
vulnerable to man-in-the-middle attacks, particularly on untrusted  
networks. For web browser usage, all of the major browsers do the  
right thing and will tell the user when a self-signed certificate for  
a server changes.

In the grand scheme of things the threat is pretty low (somebody needs  
to either hijack your IP or DNS server to get your client to send  
requests to their server), and the highest when printing over multiple  
links as is typical for Internet usage.  If you have to worry about  
this on an internal LAN you have bigger issues...

___________________________________________________
Michael Sweet, Senior Printing System Engineer

More information about the cups mailing list