[cups] Authentication for thee but not for me
Rick Cochran
rcc2 at cornell.edu
Sun Mar 20 15:42:44 PDT 2016
OK. I have done some more research. It seems likely that I will be unable to use
SSL encryption for job submission and NOT use SSL encryption for job submission
at the same time. Duh.
So I am adding "-E" to the "lp" command.
I have attached the full command, the error message it returns, the error_log
entries produced, and my cupsd.conf.
BTW, adding "-o encryption=always" produces the same result.
Help would be appreciated.
-Rick
On 3/19/16 5:37 PM, Rick Cochran wrote:
> I have done a bit of research.
>
> The command PaperCut is using to move print jobs is:
>
> lp -d "%printer%" -h "%server%" -t "%docname%" -U "%username%" -o raw
> "%spoolfile%"
>
> but I can change it to whatever I want.
>
> The error messages I am getting when PaperCut attempts to move a print job are:
>
> Unable to encrypt connection from localhost - A record packet with illegal
> version was received.
>
> Since I am using "SSLPort 631" instead of "Port 631" in cupsd.conf I think _all_
> connections to port 631 will require SSL.
>
> A relevant section of cupsd.conf is:
>
> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs
> Set-Job-Attributes Create-Job-Subscription Renew-Subscription
> Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
> Suspend-Current-Job Resume-Job CUPS-Move-Job>
> AuthType Basic
> Encryption Required
> Order deny,allow
> </Limit>
>
> If this were an Apache httpd.conf, I could use
>
> <If "%{REMOTE_ADDR} != '127.0.0.1'">
> AuthType Basic
> Encryption Required
> Order deny,allow
> </If>
>
> However the "If" directive is not found in the list of cupsd.conf directives.
>
> I'm beginning to think we will not be able to make this work, in which case we
> will have to switch everything to Windows.
>
> Yuck!
>
> -Rick
>
>
> On 3/16/16 6:22 PM, Rick Cochran wrote:
>> Hi,
>>
>> The PaperCut "Print Provider" (the part of PaperCut which runs on print servers)
>> sometimes needs to execute CUPS commands to move print jobs from one queue to
>> another.
>>
>> We have cupsd.conf configured to require SSL-encrypted IPP Basic Authentication
>> for print job submission. I am wondering if it is possible to also allow
>> unauthenticated (at least by IPPS) actions by processes running on the CUPS
>> server.
>>
>> If so, I'm wondering what that would look like in cupsd.conf.
>>
>> Thanks,
>> -Rick
-------------- next part --------------
net-printpc-cups> lp -d anselpc -h localhost:631 -t test.ps -U rcc2 -E -o raw /mnt/cit-netprint/Net-Print/test/test.ps
lp: Connection reset by peer
D [20/Mar/2016:18:33:29 -0400] cupsdAcceptClient: skipping getpeercon()
D [20/Mar/2016:18:33:29 -0400] cupsdAcceptClient: 12 from localhost (Domain)
D [20/Mar/2016:18:33:29 -0400] cupsdReadClient: 12 POST / HTTP/1.1
D [20/Mar/2016:18:33:29 -0400] cupsdSetBusyState: Active clients
D [20/Mar/2016:18:33:29 -0400] cupsdAuthorize: No authentication data provided.
D [20/Mar/2016:18:33:29 -0400] cupsdReadClient: 12 1.1 Get-Printer-Attributes 1
D [20/Mar/2016:18:33:29 -0400] Get-Printer-Attributes ipp://localhost:631/printers/anselpc
D [20/Mar/2016:18:33:29 -0400] Returning IPP successful-ok for Get-Printer-Attributes (ipp://localhost:631/printers/anselpc) from localhost
D [20/Mar/2016:18:33:29 -0400] cupsdSetBusyState: Not busy
D [20/Mar/2016:18:33:29 -0400] cupsdReadClient: 12 WAITING Closing on EOF
D [20/Mar/2016:18:33:29 -0400] cupsdCloseClient: 12
D [20/Mar/2016:18:33:29 -0400] cupsdAcceptClient: skipping getpeercon()
D [20/Mar/2016:18:33:29 -0400] cupsdAcceptClient: 12 from localhost:631 (IPv6)
E [20/Mar/2016:18:33:29 -0400] Unable to encrypt connection from localhost - A record packet with illegal version was received.
D [20/Mar/2016:18:33:29 -0400] cupsdCloseClient: 12
# Config file for Net-Print CUPS
# 2015-03-27 rcc2
# NOTES:
# "Port 631" must be commented out to prevent non-SSL connections
# From the OS X man page "cupsd.conf (5)" (The Linux man pages suck):
# Require user {user-name|@group-name} ...
# Specifies that an authenticated user must match one of the
# named users or be a member of one of the named groups. The
# group name "@SYSTEM" corresponds to the list of groups
# defined by the SystemGroup directive in the cups-
# files.conf(5) file. The group name "@OWNER" corresponds to
# the owner of the resource, for example the person that sub-
# mitted a print job.
# When the "no_user_check" option is used in PAM, "@SYSTEM" is seems to be
# true for all authenticated users.
ServerName net-printpc-cups.cit.cornell.edu
# Fix 'using invalid Host: field "net-printpc-cups.cit.cornell.edu:631"' errors
ServerAlias *
# Spool directory is on data disk
RequestRoot /data/cups/spool
MaxLogSize 2000000000
#LogLevel info
LogLevel debug
SystemGroup sys root
# Allow remote access
#Port 631
Listen /var/run/cups/cups.sock
SSLPort 631
ServerCertificate /etc/cups/ssl/net-printpc-cups_cit_cornell_edu_interm_and_cert.cer
ServerKey /etc/cups/ssl/net-printpc-cups_cit_cornell_edu.key
# Enable printer sharing and shared printers.
Browsing On
BrowseOrder allow,deny
# (Change '@LOCAL' to 'ALL' if using directed broadcasts from another subnet.)
BrowseAllow @LOCAL
BrowseAddress @LOCAL
DefaultAuthType Basic
<Location />
# Allow shared printing...
Order allow,deny
Allow all
</Location>
# Restrict access to the admin pages...
<Location /admin>
AuthType Basic
Encryption Required
Order deny,allow
Allow localhost
# Require user @SYSTEM
Require user jb48 tco2
</Location>
# Restrict access to the configuration files...
<Location /admin/conf>
AuthType Basic
Encryption Required
Order deny,allow
Allow localhost
# Require user @SYSTEM
Require user jb48 tco2
</Location>
<Location /classes>
AuthType Basic
Encryption Required
Order deny,allow
Allow localhost
# Require user @SYSTEM
Require user jb48 tco2
</Location>
<Location /help>
AuthType Basic
Encryption Required
Order deny,allow
Allow localhost
# Require user @SYSTEM
Require user jb48 tco2
</Location>
# Access to the print queues must be allowed
<Location /printers>
AuthType Basic
Encryption Required
Order deny,allow
Allow localhost
# Require user @SYSTEM
</Location>
<Policy default>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
AuthType Basic
Encryption Required
# Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Basic
Encryption Required
# Require user @SYSTEM
Require user jb48 tco2
Order deny,allow
</Limit>
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Basic
Encryption Required
# Require user @SYSTEM
Require user jb48 tco2
Order deny,allow
</Limit>
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Basic
Encryption Required
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
More information about the cups
mailing list