[cups] Authentication for thee but not for me

Rick Cochran rcc2 at cornell.edu
Mon Mar 21 07:16:49 PDT 2016


Helge,

Thanks for your response!

I forgot to mention that I already have many, many users successfully submitting 
print jobs from many OS X workstations. I also have users successfully 
submitting print jobs from Linux workstations.

The difference is that only print jobs sent by the CUPS IPP backend appear to 
work. Print jobs sent by the "lp" command do not.

I include "encryption=always" in the URL successfully used by the CUPS IPP 
backend in the client workstations.

"Encryption Always" does not seem to be a cupsd.conf directive.

Yours,
-Rick


On 3/21/16 8:15 AM, Helge Blischke wrote:
> Looking through various bug reports referencing the same error message in
> cups’ error_log, I found a hint you could at least try (cited from memory):
> "… SSLPort 631 implies that the initial connection already should be
> encrypted, contrary to the normal proceeding (initiate an unencrypted
> connection and switch to encryption in a second step). So "Encryption always“
> in cupsd.conf seems to be the only means to fix this issue …“ From the bug
> reports I scanned it seems that the issue may be dependent on the TLS (or
> SSL) version installed.
>
> Helge
>
>> Am 20.03.2016 um 23:42 schrieb Rick Cochran <rcc2 at cornell.edu>:
>>
>> OK. I have done some more research. It seems likely that I will be unable
>> to use SSL encryption for job submission and NOT use SSL encryption for job
>> submission at the same time. Duh.
>>
>> So I am adding "-E" to the "lp" command.
>>
>> I have attached the full command, the error message it returns, the
>> error_log entries produced, and my cupsd.conf.
>>
>> BTW, adding "-o encryption=always" produces the same result.
>>
>> Help would be appreciated.
>>
>> -Rick
>>
>>
>> On 3/19/16 5:37 PM, Rick Cochran wrote:
>>> I have done a bit of research.
>>>
>>> The command PaperCut is using to move print jobs is:
>>>
>>> lp -d "%printer%" -h "%server%" -t "%docname%" -U "%username%" -o raw
>>> "%spoolfile%"
>>>
>>> but I can change it to whatever I want.
>>>
>>> The error messages I am getting when PaperCut attempts to move a print
>>> job are:
>>>
>>> Unable to encrypt connection from localhost - A record packet with
>>> illegal version was received.
>>>
>>> Since I am using "SSLPort 631" instead of "Port 631" in cupsd.conf I
>>> think _all_ connections to port 631 will require SSL.
>>>
>>> A relevant section of cupsd.conf is:
>>>
>>> <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job
>>> Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription
>>> Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
>>> Suspend-Current-Job Resume-Job CUPS-Move-Job> AuthType Basic Encryption
>>> Required Order deny,allow </Limit>
>>>
>>> If this were an Apache httpd.conf, I could use
>>>
>>> <If "%{REMOTE_ADDR} != '127.0.0.1'"> AuthType Basic Encryption Required
>>> Order deny,allow </If>
>>>
>>> However the "If" directive is not found in the list of cupsd.conf
>>> directives.
>>>
>>> I'm beginning to think we will not be able to make this work, in which
>>> case we will have to switch everything to Windows.
>>>
>>> Yuck!
>>>
>>> -Rick
>>>
>>>
>>> On 3/16/16 6:22 PM, Rick Cochran wrote:
>>>> Hi,
>>>>
>>>> The PaperCut "Print Provider" (the part of PaperCut which runs on print
>>>> servers) sometimes needs to execute CUPS commands to move print jobs
>>>> from one queue to another.
>>>>
>>>> We have cupsd.conf configured to require SSL-encrypted IPP Basic
>>>> Authentication for print job submission. I am wondering if it is
>>>> possible to also allow unauthenticated (at least by IPPS) actions by
>>>> processes running on the CUPS server.
>>>>
>>>> If so, I'm wondering what that would look like in cupsd.conf.
>>>>
>>>> Thanks, -Rick
>> <details.txt>_______________________________________________ cups mailing
>> list cups at cups.org <mailto:cups at cups.org>
>> https://www.cups.org/mailman/listinfo/cups
>> <https://www.cups.org/mailman/listinfo/cups>
> _______________________________________________ cups mailing list
> cups at cups.org https://www.cups.org/mailman/listinfo/cups
>



More information about the cups mailing list