[cups] Authentication for thee but not for me

Rick Cochran rcc2 at cornell.edu
Sun Mar 20 15:42:44 PDT 2016 

OK. I have done some more research. It seems likely that I will be unable to use 
SSL encryption for job submission and NOT use SSL encryption for job submission 
at the same time. Duh.

So I am adding "-E" to the "lp" command.

I have attached the full command, the error message it returns, the error_log 
entries produced, and my cupsd.conf.

BTW, adding "-o encryption=always" produces the same result.

Help would be appreciated.

-Rick


On 3/19/16 5:37 PM, Rick Cochran wrote:
> I have done a bit of research.
>
> The command PaperCut is using to move print jobs is:
>
>    lp -d "%printer%" -h "%server%" -t "%docname%" -U "%username%" -o raw
> "%spoolfile%"
>
> but I can change it to whatever I want.
>
> The error messages I am getting when PaperCut attempts to move a print job are:
>
>    Unable to encrypt connection from localhost - A record packet with illegal
> version was received.
>
> Since I am using "SSLPort 631" instead of "Port 631" in cupsd.conf I think _all_
> connections to port 631 will require SSL.
>
> A relevant section of cupsd.conf is:
>
>    <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
> Set-Job-Attributes Create-Job-Subscription Renew-Subscription
> Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
> Suspend-Current-Job Resume-Job CUPS-Move-Job>
>      AuthType Basic
>      Encryption Required
>      Order deny,allow
>    </Limit>
>
> If this were an Apache httpd.conf, I could use
>
>      <If "%{REMOTE_ADDR} != '127.0.0.1'">
>        AuthType Basic
>        Encryption Required
>        Order deny,allow
>      </If>
>
> However the "If" directive is not found in the list of cupsd.conf directives.
>
> I'm beginning to think we will not be able to make this work, in which case we
> will have to switch everything to Windows.
>
> Yuck!
>
> -Rick
>
>
> On 3/16/16 6:22 PM, Rick Cochran wrote:
>> Hi,
>>
>> The PaperCut "Print Provider" (the part of PaperCut which runs on print servers)
>> sometimes needs to execute CUPS commands to move print jobs from one queue to
>> another.
>>
>> We have cupsd.conf configured to require SSL-encrypted IPP Basic Authentication
>> for print job submission. I am wondering if it is possible to also allow
>> unauthenticated (at least by IPPS) actions by processes running on the CUPS
>> server.
>>
>> If so, I'm wondering what that would look like in cupsd.conf.
>>
>> Thanks,
>> -Rick
-------------- next part --------------
net-printpc-cups> lp -d anselpc -h localhost:631 -t test.ps -U rcc2 -E -o raw /mnt/cit-netprint/Net-Print/test/test.ps
lp: Connection reset by peer



D [20/Mar/2016:18:33:29 -0400] cupsdAcceptClient: skipping getpeercon()
D [20/Mar/2016:18:33:29 -0400] cupsdAcceptClient: 12 from localhost (Domain)
D [20/Mar/2016:18:33:29 -0400] cupsdReadClient: 12 POST / HTTP/1.1
D [20/Mar/2016:18:33:29 -0400] cupsdSetBusyState: Active clients
D [20/Mar/2016:18:33:29 -0400] cupsdAuthorize: No authentication data provided.
D [20/Mar/2016:18:33:29 -0400] cupsdReadClient: 12 1.1 Get-Printer-Attributes 1
D [20/Mar/2016:18:33:29 -0400] Get-Printer-Attributes ipp://localhost:631/printers/anselpc
D [20/Mar/2016:18:33:29 -0400] Returning IPP successful-ok for Get-Printer-Attributes (ipp://localhost:631/printers/anselpc) from localhost
D [20/Mar/2016:18:33:29 -0400] cupsdSetBusyState: Not busy
D [20/Mar/2016:18:33:29 -0400] cupsdReadClient: 12 WAITING Closing on EOF
D [20/Mar/2016:18:33:29 -0400] cupsdCloseClient: 12
D [20/Mar/2016:18:33:29 -0400] cupsdAcceptClient: skipping getpeercon()
D [20/Mar/2016:18:33:29 -0400] cupsdAcceptClient: 12 from localhost:631 (IPv6)
E [20/Mar/2016:18:33:29 -0400] Unable to encrypt connection from localhost - A record packet with illegal version was received.
D [20/Mar/2016:18:33:29 -0400] cupsdCloseClient: 12



# Config file for Net-Print CUPS
# 2015-03-27 rcc2

# NOTES:
# "Port 631" must be commented out to prevent non-SSL connections

# From the OS X man page "cupsd.conf (5)" (The Linux man pages suck):
# Require user {user-name|@group-name} ...
#            Specifies that an authenticated user must match one of  the
#            named users or be a member of one of the named groups.  The
#            group name "@SYSTEM" corresponds  to  the  list  of  groups
#            defined   by   the   SystemGroup  directive  in  the  cups-
#            files.conf(5) file.  The group name "@OWNER" corresponds to
#            the owner of the resource, for example the person that sub-
#            mitted a print job.

# When the "no_user_check" option is used in PAM, "@SYSTEM" is seems to be
# true for all authenticated users.

ServerName net-printpc-cups.cit.cornell.edu

# Fix 'using invalid Host: field "net-printpc-cups.cit.cornell.edu:631"' errors
ServerAlias *

# Spool directory is on data disk
RequestRoot /data/cups/spool

MaxLogSize 2000000000
#LogLevel info
LogLevel debug
SystemGroup sys root
# Allow remote access
#Port 631
Listen /var/run/cups/cups.sock
SSLPort 631
ServerCertificate /etc/cups/ssl/net-printpc-cups_cit_cornell_edu_interm_and_cert.cer
ServerKey /etc/cups/ssl/net-printpc-cups_cit_cornell_edu.key
# Enable printer sharing and shared printers.
Browsing On
BrowseOrder allow,deny
# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.)
BrowseAllow @LOCAL
BrowseAddress @LOCAL
DefaultAuthType Basic
<Location />
  # Allow shared printing...
  Order allow,deny
  Allow all
</Location>
# Restrict access to the admin pages...
<Location /admin>
  AuthType Basic
  Encryption Required
  Order deny,allow
  Allow localhost
#  Require user @SYSTEM
  Require user jb48 tco2
</Location>
# Restrict access to the configuration files...
<Location /admin/conf>
  AuthType Basic
  Encryption Required
  Order deny,allow
  Allow localhost
#  Require user @SYSTEM
  Require user jb48 tco2
</Location>
<Location /classes>
  AuthType Basic
  Encryption Required
  Order deny,allow
  Allow localhost
#  Require user @SYSTEM
  Require user jb48 tco2
</Location>
<Location /help>
  AuthType Basic
  Encryption Required
  Order deny,allow
  Allow localhost
#  Require user @SYSTEM
  Require user jb48 tco2
</Location>
# Access to the print queues must be allowed
<Location /printers>
  AuthType Basic
  Encryption Required
  Order deny,allow
  Allow localhost
#  Require user @SYSTEM
</Location>
<Policy default>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    AuthType Basic
    Encryption Required
#    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Basic
    Encryption Required
#    Require user @SYSTEM
    Require user jb48 tco2
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Basic
    Encryption Required
#    Require user @SYSTEM
    Require user jb48 tco2
    Order deny,allow
  </Limit>
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Basic
    Encryption Required
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

More information about the cups mailing list