[cups] Authentication for thee but not for me

[Michael Sweet]

Rick,

> On Mar 19, 2016, at 5:37 PM, Rick Cochran <rcc2 at cornell.edu> wrote:
> 
> I have done a bit of research.
> 
> The command PaperCut is using to move print jobs is:
> 
>  lp -d "%printer%" -h "%server%" -t "%docname%" -U "%username%" -o raw "%spoolfile%"
> 
> but I can change it to whatever I want.

If the server is local, the local domain socket should probably be used (not localhost, but /var/run/cupsd or whatever the domain socket is on your system).

> The error messages I am getting when PaperCut attempts to move a print job are:
> 
>  Unable to encrypt connection from localhost - A record packet with illegal version was received.

What version of CUPS?  What OS?

> Since I am using "SSLPort 631" instead of "Port 631" in cupsd.conf I think _all_ connections to port 631 will require SSL.

Yes.

> A relevant section of cupsd.conf is:
> 
>  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
>    AuthType Basic
>    Encryption Required
>    Order deny,allow
>  </Limit>
> 
> If this were an Apache httpd.conf, I could use
> 
>    <If "%{REMOTE_ADDR} != '127.0.0.1'">
>      AuthType Basic
>      Encryption Required
>      Order deny,allow
>    </If>
> 
> However the "If" directive is not found in the list of cupsd.conf directives.

No, we never adopted any of the Apache conditional directives, although the encryption stuff (if you don't force it like you have in your policy) will be applied automatically for remote connections but not for local ones.

_________________________________________________________
Michael Sweet, Senior Printing System Engineer