[cups] Authentication for thee but not for me

Sat Mar 19 14:37:53 PDT 2016

I have done a bit of research.

The command PaperCut is using to move print jobs is:

   lp -d "%printer%" -h "%server%" -t "%docname%" -U "%username%" -o raw 
"%spoolfile%"

but I can change it to whatever I want.

The error messages I am getting when PaperCut attempts to move a print job are:

   Unable to encrypt connection from localhost - A record packet with illegal 
version was received.

Since I am using "SSLPort 631" instead of "Port 631" in cupsd.conf I think _all_ 
connections to port 631 will require SSL.

A relevant section of cupsd.conf is:

   <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs 
Set-Job-Attributes Create-Job-Subscription Renew-Subscription 
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job 
Suspend-Current-Job Resume-Job CUPS-Move-Job>
     AuthType Basic
     Encryption Required
     Order deny,allow
   </Limit>

If this were an Apache httpd.conf, I could use

     <If "%{REMOTE_ADDR} != '127.0.0.1'">
       AuthType Basic
       Encryption Required
       Order deny,allow
     </If>

However the "If" directive is not found in the list of cupsd.conf directives.

I'm beginning to think we will not be able to make this work, in which case we 
will have to switch everything to Windows.

Yuck!

-Rick

On 3/16/16 6:22 PM, Rick Cochran wrote:
> Hi,
>
> The PaperCut "Print Provider" (the part of PaperCut which runs on print servers)
> sometimes needs to execute CUPS commands to move print jobs from one queue to
> another.
>
> We have cupsd.conf configured to require SSL-encrypted IPP Basic Authentication
> for print job submission. I am wondering if it is possible to also allow
> unauthenticated (at least by IPPS) actions by processes running on the CUPS server.
>
> If so, I'm wondering what that would look like in cupsd.conf.
>
> Thanks,
> -Rick