[cups.general] authentication issues

Michael Sweet msweet at apple.com
Fri Sep 18 08:28:18 PDT 2009 

On Sep 18, 2009, at 4:27 AM, Tomas Davidek wrote:
> Hi Michael,
>  thanks a lot for the hints. So I set "DefaultAuthType BasicDigest",  
> "Require user @lpadmin" and then run "lppasswd -a admin -g lpadmin".  
> But I still cannot authenticate to the system, looking at the  
> error_log I found a strange error message:
>
> E [18/Sep/2009:13:00:58 +0200] Authorized using Basic, expected  
> Digest!

That sounds like a bug in CUPS - can you file a report at:

     http://www.cups.org/str.php

so we can track this?  My guess is that we are incorrectly flagging  
the authentication as Digest because we are consulting passwd.md5,  
when in fact we should be marking as BasicDigest or Digest based on  
the provided credentials instead.

> This is surprising, since I believe never have AuthType Basic  
> anywhere in cupsd.conf (attached). Could anynone please point out  
> what's wrong?
>
> Yet another question - can one allow for authentication both users  
> listed in /etc/cups/passwd.md5 and the root on the system  
> simultaneously? Something like
> --------
> AuthType Basic
> Require user @SYSTEM
> AuthType BasicDigest
> Require user @lpadmin
> Satisfy any
> ---------

No, not at this time.  You can file a feature request for this, but it  
might be easier to just create/add to a group and use that instead,  
with a dummy (no login) account if you still need to offer a generic  
user/password on the server.

>
> Best regards
>              Tomas
>
> ipnp21:/tmp# cat /etc/cups/passwd.md5
> tisk21:lpadmin:843dcbbc8212893212318cbe9fa2ff23
> admin:lpadmin:93bd4dfd9c132d5e67a26e4377daf506
>
>
> --------------------------------------
> From: Michael Sweet
> Date: 11:06 Thu
>
> On Sep 17, 2009, at 3:57 AM, Tomas Davidek wrote:
> > ...
> > I believe that this can be achieved by lppasswd and set AuthType to
> > Digest or BasicDigest. Here is what I did:
> > * introduced a user printadmin with lppasswd -a printadmin -g lp,  
> made
> > sure group lp is in /etc/group and /etc/shadow
> > * set "SystemGroup lp" in /etc/cups/cupsd.conf, leaving the Require
> > @SYSTEM directive there
> > * set AuthType BasicDigest instead of AuthType Basic
> > * /etc/init.d/cups restart
>
> OK, you want to set the DefaultAuthType to BasicDigest; restarting
> cups is unnecessary if you use the web interface or cupsctl utility,
> e.g.:
>
>    cupsctl SystemGroup=lp DefaultAuthType=BasicDigest
>
> If you try changing the AuthType directive, you'll have to do it in
> several places...
>
> > 1. what is the relation of the directives "SystemGroup something"  
> and
> > "Require @SYSTEM" ? I also tried
> > "SystemGroup lp" and "Require @SYSTEM @lp", but it does not seem to
> > work
> > either. Does the order in Require directive matter? Also, do I  
> need to
> > introduce the username "printadmin" into /etc/passwd and/or /etc/
> > shadow?
> > Does CUPS look at /etc/group, /etc/passwd, /etc/shadow ?
>
> For BasicDigest, CUPS does not use any of the system-supplied user or
> group sources.
>
> > 2. what is the difference between Digest and BasicDigest methods?  
> And
> > how do they relate to the "Encryption Required" directive in
> > cupsd.conf ?
>
> Digest uses the HTTP Digest authentication method, which is not
> universally supported in web browsers but doesn't need session-level
> encryption since the password is never sent as cleartext. BasicDigest
> uses HTTP Basic authentication which *is* universally supported but
> *does* need session-level encryption because the password is sent as
> cleartext.
>
> "Encryption Required", which isn't strictly needed in CUPS 1.3 since
> we use encryption over non-local connections whenever authenticating
> (even for Digest), just forces all communications to be encrypted.
>
> > 3. what about encryption? The Web page
> > http://cups.org/documentation.php/doc-1.4/security.html suggest
> > encryption should be used (does that refer to "Encryption  
> Required" or
> > to avoid sending plain username/passwd over the network like in
> > AuthType
> > Basic ?), but at the same time the page recommends "Do not depend on
> > encryption for security when connecting to servers over the Internet
> > or
> > untrusted WAN links".
>
> Right, basically some encryption is better than no encryption. The
> warning is there because CUPS (specifically libcups) currently does
> not support certification verification or revocation, which leaves you
> vulnerable to man-in-the-middle attacks, particularly on untrusted
> networks. For web browser usage, all of the major browsers do the
> right thing and will tell the user when a self-signed certificate for
> a server changes.
>
> In the grand scheme of things the threat is pretty low (somebody needs
> to either hijack your IP or DNS server to get your client to send
> requests to their server), and the highest when printing over multiple
> links as is typical for Internet usage.  If you have to worry about
> this on an internal LAN you have bigger issues...
>
> ___________________________________________________
> Michael Sweet, Senior Printing System Engineer
>
> -- 
>          Tomas
>
> E-mail : davidek at ipnp.troja.mff.cuni.cz,
> 	  Tomas.Davidek at cern.ch
>
> #
> #
> #   Sample configuration file for the Common UNIX Printing System  
> (CUPS)
> #   scheduler.  See "man cupsd.conf" for a complete description of  
> this
> #   file.
> #
>
> # Log general information in error_log - change "info" to "debug" for
> # troubleshooting...
> LogLevel debug
>
> # Administrator user group...
> SystemGroup lpadmin
>
>
> # Only listen for connections from the local machine.
> #Listen localhost:631
> Listen *:631
> Listen /var/run/cups/cups.sock
>
> # Show shared printers on the local network.
> Browsing On
> BrowseOrder allow,deny
> BrowseAllow all
>
> # Default authentication type, when authentication is required...
> #DefaultAuthType Basic
> DefaultAuthType Digest
>
> # Restrict access to the server...
> <Location />
> # Change TD:
> #  Order allow,deny
>  Order deny,allow
>  Deny from All
>  Allow from localhost
>  Allow from 195.113.22.161
> </Location>
>
> # Restrict access to the admin pages...
> <Location /admin>
> # Change TD:
> #  Order allow,deny
>  Order deny,allow
>  Deny from All
>  Allow from localhost
>  Allow from 195.113.22.161
>  Allow from 195.113.22.150
> </Location>
>
> # Restrict access to configuration files...
> <Location /admin/conf>
>  AuthType Default
> #  Require user @SYSTEM
>  Require user @lpadmin
> # Change TD:
> #  Order allow,deny
>  Order deny,allow
>  Deny From All
>  Allow from localhost
>  Allow from 195.113.22.161
>  Allow from 195.113.22.150
> </Location>
>
> <Location /jobs>
> #  AuthType Basic
> #  AuthClass User
>  AuthType Default
>  Require user @lpadmin
>  Order Deny,Allow
>  Deny From All
>  Allow From 195.113.22.128/255.255.255.128
> </Location>
> <Location /printers>
>  AuthType None
>  Order Deny,Allow
>  Deny From All
>  Allow From 195.113.22.128/255.255.255.128
> </Location>
> 		
>
> # Set the default printer/job policies...
> <Policy default>
>  # Job-related operations must be done by the owner or an  
> administrator...
>  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job  
> Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew- 
> Subscription Cancel-Subscription Get-Notifications Reprocess-Job  
> Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
> #    AuthType Basic
> #    Require user @OWNER @SYSTEM
>    AuthType Default
>    Require user @lpadmin
>    Order deny,allow
>    Deny From All
>    Allow From 195.113.22.128/255.255.255.128
>  </Limit>
>
>  # All administration operations require an administrator to  
> authenticate...
>  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify- 
> Class CUPS-Delete-Class CUPS-Set-Default>
>    AuthType Default
> #    Require user @SYSTEM
>    Require user @lpadmin
>    Order deny,allow
>    Deny From All
>    Allow from localhost
>    Allow from 195.113.22.150
>    Allow from 195.113.22.161
>  </Limit>
>
>  # All printer operations require a printer operator to  
> authenticate...
>  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer  
> Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs  
> Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer  
> Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS- 
> Reject-Jobs>
>    AuthType Default
> #    Require user @SYSTEM
>    Require user @lpadmin
>    Order deny,allow
>    Deny From All
>    Allow from localhost
>    Allow from 195.113.22.150
>    Allow from 195.113.22.161
>  </Limit>
>
>  # Only the owner or an administrator can cancel or authenticate a  
> job...
>  <Limit Cancel-Job CUPS-Authenticate-Job>
> #    AuthType Basic
> #    Require user @OWNER @SYSTEM
>    AuthType Default
>    Require user @lpadmin
>    Order deny,allow
>    Deny From All
>    Allow From 195.113.22.128/255.255.255.128
>    Allow from localhost
>  </Limit>
>
>  <Limit All>
>    Order deny,allow
>    Deny From All
>    Allow from localhost
>  </Limit>
> </Policy>
>
> #
> #
> _______________________________________________
> cups mailing list
> cups at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups

___________________________________________________
Michael Sweet, Senior Printing System Engineer

More information about the cups mailing list