[cups.general] authentication issues

Tomas Davidek davidek at ipnp.troja.mff.cuni.cz
Fri Sep 18 04:27:47 PDT 2009 

Hi Michael,
   thanks a lot for the hints. So I set "DefaultAuthType BasicDigest", 
"Require user @lpadmin" and then run "lppasswd -a admin -g lpadmin". But 
I still cannot authenticate to the system, looking at the error_log I 
found a strange error message:

E [18/Sep/2009:13:00:58 +0200] Authorized using Basic, expected Digest!

This is surprising, since I believe never have AuthType Basic anywhere 
in cupsd.conf (attached). Could anynone please point out what's wrong?

Yet another question - can one allow for authentication both users 
listed in /etc/cups/passwd.md5 and the root on the system 
simultaneously? Something like
--------
AuthType Basic
Require user @SYSTEM
AuthType BasicDigest
Require user @lpadmin
Satisfy any
---------

Best regards
               Tomas

ipnp21:/tmp# cat /etc/cups/passwd.md5
tisk21:lpadmin:843dcbbc8212893212318cbe9fa2ff23
admin:lpadmin:93bd4dfd9c132d5e67a26e4377daf506


--------------------------------------
From: Michael Sweet
Date: 11:06 Thu

On Sep 17, 2009, at 3:57 AM, Tomas Davidek wrote:
 > ...
 > I believe that this can be achieved by lppasswd and set AuthType to
 > Digest or BasicDigest. Here is what I did:
 > * introduced a user printadmin with lppasswd -a printadmin -g lp, made
 > sure group lp is in /etc/group and /etc/shadow
 > * set "SystemGroup lp" in /etc/cups/cupsd.conf, leaving the Require
 > @SYSTEM directive there
 > * set AuthType BasicDigest instead of AuthType Basic
 > * /etc/init.d/cups restart

OK, you want to set the DefaultAuthType to BasicDigest; restarting
cups is unnecessary if you use the web interface or cupsctl utility,
e.g.:

     cupsctl SystemGroup=lp DefaultAuthType=BasicDigest

If you try changing the AuthType directive, you'll have to do it in
several places...

 > 1. what is the relation of the directives "SystemGroup something" and
 > "Require @SYSTEM" ? I also tried
 > "SystemGroup lp" and "Require @SYSTEM @lp", but it does not seem to
 > work
 > either. Does the order in Require directive matter? Also, do I need to
 > introduce the username "printadmin" into /etc/passwd and/or /etc/
 > shadow?
 > Does CUPS look at /etc/group, /etc/passwd, /etc/shadow ?

For BasicDigest, CUPS does not use any of the system-supplied user or
group sources.

 > 2. what is the difference between Digest and BasicDigest methods? And
 > how do they relate to the "Encryption Required" directive in
 > cupsd.conf ?

Digest uses the HTTP Digest authentication method, which is not
universally supported in web browsers but doesn't need session-level
encryption since the password is never sent as cleartext. BasicDigest
uses HTTP Basic authentication which *is* universally supported but
*does* need session-level encryption because the password is sent as
cleartext.

"Encryption Required", which isn't strictly needed in CUPS 1.3 since
we use encryption over non-local connections whenever authenticating
(even for Digest), just forces all communications to be encrypted.

 > 3. what about encryption? The Web page
 > http://cups.org/documentation.php/doc-1.4/security.html suggest
 > encryption should be used (does that refer to "Encryption Required" or
 > to avoid sending plain username/passwd over the network like in
 > AuthType
 > Basic ?), but at the same time the page recommends "Do not depend on
 > encryption for security when connecting to servers over the Internet
 > or
 > untrusted WAN links".

Right, basically some encryption is better than no encryption. The
warning is there because CUPS (specifically libcups) currently does
not support certification verification or revocation, which leaves you
vulnerable to man-in-the-middle attacks, particularly on untrusted
networks. For web browser usage, all of the major browsers do the
right thing and will tell the user when a self-signed certificate for
a server changes.

In the grand scheme of things the threat is pretty low (somebody needs
to either hijack your IP or DNS server to get your client to send
requests to their server), and the highest when printing over multiple
links as is typical for Internet usage.  If you have to worry about
this on an internal LAN you have bigger issues...

___________________________________________________
Michael Sweet, Senior Printing System Engineer

-- 
           Tomas

 E-mail : davidek at ipnp.troja.mff.cuni.cz,
	  Tomas.Davidek at cern.ch

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cupsd.conf
URL: <https://lists.cups.org/pipermail/cups/attachments/20090918/68ebf83c/attachment-0001.ksh>

More information about the cups mailing list