source: trunk/third/lprng/doc/LPRng-HOWTO-16.html @ 13098

Revision 13098, 30.9 KB checked in by danw, 26 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r13097, which included commits to RCS files with non-trunk default branches.
Line 
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
2<HTML>
3<HEAD>
4 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
5 <TITLE> LPRng-HOWTO: Authentication and Encryption</TITLE>
6 <LINK HREF="LPRng-HOWTO-17.html" REL=next>
7 <LINK HREF="LPRng-HOWTO-15.html" REL=previous>
8 <LINK HREF="LPRng-HOWTO.html#toc16" REL=contents>
9</HEAD>
10<BODY>
11<A HREF="LPRng-HOWTO-17.html">Next</A>
12<A HREF="LPRng-HOWTO-15.html">Previous</A>
13<A HREF="LPRng-HOWTO.html#toc16">Contents</A>
14<HR>
15<H2><A NAME="authref"></A> <A NAME="s16">16. Authentication and Encryption</A></H2>
16
17<P>One of the major problems in a print spooler system is providing
18privacy and authentication services for users.  One method is to
19construct a specific set of protocols which will be used for
20providing the privacy or authentication;  another is to provide a
21simple interface to a set of tools that will do the authentication
22and/or encryption.
23<P>LPRng provides native support for the LPR extensions used by MIT
24and the Kerberos 4 implementation.
25In addition,
26it provides Kerberos 5 based authentication.
27<P>LPRng also supports the use of the PGP (Pretty Good Privacy) program
28and can sign and optionally encrypt command and reponses between servers
29and clients.
30<P>Finally,
31LPRng provide a general purpose interface allowing users to insert their
32own authentication methods,
33either at the program level or at the code level.
34<H2><A NAME="ss16.1">16.1 Authentication</A>
35</H2>
36
37<P>A careful study of the authentication problem shows that it should be done
38during reception of commands and/or jobs from a remote user and/or
39spooler.  At this time the following must be done:
40<OL>
41<LI>The received command must be checked for consistency,  and the
42remote user and host must be determined.</LI>
43<LI>The remote user and host must be authenticated.</LI>
44<LI>The command and/or spooling operation must be carried out.</LI>
45<LI>The results must be returned to the remote system.</LI>
46</OL>
47<P>
48<H2><A NAME="ss16.2">16.2 Identifiers</A>
49</H2>
50
51<P>When a user logs into a system,  they are assigned a user name
52and a corresponding UserID.  This user name is used by the LPRng
53software when transferring jobs to identify the user.
54<P>When we look into the problem of authentication,  we will possibly
55have a more global user identification to deal with, the
56authentication identifier (AuthID).  One way to deal with this problem is to
57give LPRng intimate knowledge of the UserID and AuthID relationship.
58While this is possible,  it may be difficult to deal with in a
59simple and extensible manner.  An alternate solution is to provide
60a mapping service,  where the authentication procedure provides
61a map between the UserID and AuthID.
62<H2><A NAME="ss16.3">16.3 RFC1179 Protocol Extensions</A>
63</H2>
64
65<P>The RFC1179 protocol specifies that a LPD server command sent on
66a connection has the form:
67<BLOCKQUOTE><CODE>
68<PRE>
69\nnn[additional fields]\n
70</PRE>
71</CODE></BLOCKQUOTE>
72<P><CODE>\nnn</CODE> is a one octet (byte) value with the following meaning:
73<P>
74<BLOCKQUOTE><CODE>
75<PRE>
76REQ_START   1    start printer
77REQ_RECV    2    transfer a printer job
78REQ_DSHORT  3    print short form of queue status
79REQ_DLONG   4    print long form of queue status
80REQ_REMOVE  5    remove jobs
81</PRE>
82</CODE></BLOCKQUOTE>
83<P>The LPRng system extends the protocol with the following additional
84types:
85<BLOCKQUOTE><CODE>
86<PRE>
87REQ_CONTROL 6    do control operation
88REQ_BLOCK   7    transfer a block format print job
89REQ_SECURE  8    do operation with authentication
90REQ_VERBOSE 9    verbose status information
91REQ_LPSTAT 10    lpstat simulation
92</PRE>
93</CODE></BLOCKQUOTE>
94<P>The REQ_CONTROL allows a remote user to send LPC commands to the
95server.  The REQ_BLOCK provides an alternate method to transfer a
96job.  Rather than transferring the control and data files individually,
97this format transfers one file.  The REQ_AUTH provides a mechanism
98for providing an authentication mechanism and is described in this
99document.
100<H2><A NAME="authserverid"></A> <A NAME="authclientfilter"></A> <A NAME="auth"></A> <A NAME="ss16.4">16.4 Client Operations for Client To lpd Server Authentication</A>
101</H2>
102
103<P>Options used:
104<UL>
105<LI> <CODE>auth=</CODE><EM>client to server authentication type</EM></LI>
106<LI> <CODE>auth_client_filter=</CODE><EM>client to server transfer program</EM></LI>
107<LI> <CODE>auth_forward=</CODE><EM>server to server authentication type</EM></LI>
108<LI> <CODE>auth_forward_filter=</CODE><EM>server to server transfer program</EM></LI>
109<LI> <CODE>auth_forward_id=</CODE><EM>Server identification</EM></LI>
110<LI> <CODE>auth_receive_filter=</CODE><EM>server to server transfer program</EM></LI>
111<LI> <CODE>auth_server_id=</CODE><EM>server identification</EM></LI>
112</UL>
113<P>This section describes the general purpose interface used for
114client to server authentication.
115<P>The LPRng client will generate a set of commands and place them in a file.
116The file is then encrypted and/or signed by the appropriate authentication
117method,
118and is transferred to the server.
119The server will then decrypt and/or check the signature,
120perform the requested actions,
121and in turn generate a file of status information.
122This file is encrypted and/or signed by the server,
123and sent to the client,
124where it is in turn decrypted and/or checked for correct signature.
125These activities are controlled by the following printcap or configuration
126options.
127<OL>
128<LI>The <CODE> auth </CODE> option specifies the authentication type to be used
129for client to server transfers.
130For example,
131<CODE>auth=pgp</CODE> would specify PGP authentication,
132<CODE>auth=kerberos5</CODE> would specify Kerberos 5 authentication,
133<CODE>auth=kerberos4</CODE> would specify Kerberos 4 authentication,
134and
135<CODE>auth=user</CODE> would specify using user provided filters for authentication.</LI>
136<LI>For client to server operations,
137the server id is the value of the
138<CODE>auth_server_id</CODE> option.</LI>
139<LI>The <CODE>auth_forward</CODE>> option specifies the authentication type to be used
140for server to server transfers.</LI>
141<LI>For server to server operations,
142the id of the originating server
143is specified by
144<CODE>auth_server_id</CODE>.
145and the remote server by
146<CODE>auth_forward_id</CODE>.</LI>
147<LI>When doing client to server transfers,
148the originating user is determined by using the current UID
149of the program as the search value for <CODE>getpwuid()</CODE>.</LI>
150</OL>
151<P>The LPRng client will open a connection to the server
152and send a command with the following format:
153<BLOCKQUOTE><CODE>
154<PRE>
155\008printer C userid auth\n         - for commands
156\008printer C userid auth jobsize\n - for print jobs
157</PRE>
158</CODE></BLOCKQUOTE>
159<P>Note that \008 is a one byte code indicating an authenticated
160transfer.  Printer is the spool queue name, C in the character 'C'
161indicating a client request, userid is the login id of the user,
162auth is the the value of the <CODE>auth</CODE> option,
163and jobsize is the size of the job file to be printed.
164<P>On reception of this command,  the server will send a one byte
165success code.
166If an error is indicated by a non-zero response,
167additional error status may follow
168the non-zero success code byte.  At the end of this information
169the connection will be terminated.
170The values used by LPRng are:
171<BLOCKQUOTE><CODE>
172<PRE>
173ACK_SUCCESS 0   success
174ACK_STOP_Q  1   failed; no spooling to the remote queue
175ACK_RETRY   2   failed; retry later
176ACK_FAIL    3   failed; job rejected, no retry
177</PRE>
178</CODE></BLOCKQUOTE>
179<P>If the success code is zero,
180client will use the <CODE>auth_client_filter</CODE> to encrypt and/or sign
181a data file to be transferred to the server.
182The authentication program will have the following IO assignments:
183<BLOCKQUOTE><CODE>
184<PRE>
185FD  Options Purpose
1860  R/W     connection to remote host
1871  W       output for returned status
1882  W       errors
189</PRE>
190</CODE></BLOCKQUOTE>
191<P>Command line arguments:
192<BLOCKQUOTE><CODE>
193<PRE>
194program -C -Pprinter -nuser -Aauth -Rauth_server_id -Ttempfile
195</PRE>
196</CODE></BLOCKQUOTE>
197<P>The <CODE> tempfile </CODE> will contain either a command line as would be
198transferred using the standard RFC1179 protocol,
199or a print job in block format.
200See
201<A HREF="LPRng-HOWTO-18.html#rfc1179ref">RFC1179 Protocol</A> for details.
202The client authenticator program will open and transfer
203the contents of <CODE>tempfile</CODE> to the server authenticator,
204using FD 0
205and a format compatible with the underlying authentication mechanism.
206<P>If the transfer fails the client
207authenticator will log error information on FD 2 and then exit
208with error code JFAIL.
209<P>The server will send the client authentication program
210any error or logging information over the FD 0 connection,
211in a form appropriate to the authentication operation.
212The client authenticator will write this information to FD 1.
213If data transfer or authentication fails,  the authenticator
214will write an error message to FD 2 and exit with error code
215JFAIL.
216<P>If no error has occured the client authenticator will
217then exit with error code JSUCC.
218<P>
219<H2><A NAME="authforwardfilter"></A> <A NAME="authreceivefilter"></A> <A NAME="ss16.5">16.5 Server Operations for Client To lpd Server Authentication</A>
220</H2>
221
222<P>Options used:
223<UL>
224<LI> <CODE>auth_receive_filter=</CODE><EM>Server (lpd) authentication program</EM></LI>
225<LI> <CODE>auth_server_id=</CODE><EM>Server identification</EM></LI>
226</UL>
227<P>When an authentication command arrives at the server,
228it has the following form:
229<BLOCKQUOTE><CODE>
230<PRE>
231\008printer C userid auth\n          - for commands
232\008printer C userid auth jobsize\n - for print jobs
233</PRE>
234</CODE></BLOCKQUOTE>
235<P>The server will attempt to find the printcap for the specified printer.
236For some operations this printer will be a dummy entry;
237this will simply cause the following operations to use the default
238information in the <CODE>lpd</CODE> configuration.
239<P>If a print job is being performed and the spool queue does not exist,
240then the job will be rejected.
241A non-zero error code will be written to the connection and the operation
242will terminate.
243<P>The <CODE>auth</CODE> value is used to set the
244AUTHTYPE permission checking value.
245If the AUTHTYPE is not built in,
246and the <CODE>auth</CODE> value does not match the
247printcap or configuration
248<CODE>auth</CODE> option value then authentication will fail.
249An error message will be logged to the server log file,
250and a non-zero error code and message will be written to the connection
251to the remote client program.
252<P>Many authentication programs require that the
253users provide some form of key or identification.
254The <CODE>auth_server_id</CODE> option is used for this purpose.
255<P>The server will start the server authenticator program and provide the
256following open file descriptors for it.  The program
257will run as the same UID as the <CODE>lpd</CODE> server.
258If this is a print job transfer,
259the current directory will be the spool directory of the print queue.
260<BLOCKQUOTE><CODE>
261<PRE>
262FD  Options Purpose
2630  R/W     socket connection to remote host (R/W)
2641  W       pipe or file descriptor,  for information for server
2652  W       error log
2663  R       pipe or file descriptor,  for responses to client
267</PRE>
268</CODE></BLOCKQUOTE>
269<P>Command line arguments:
270<BLOCKQUOTE><CODE>
271<PRE>
272program -S -PPRINTER -nUSER -aAUTHTYPE -Rauth_server_id -Ttempfile
273</PRE>
274</CODE></BLOCKQUOTE>
275<P>The
276<CODE>PRINTER</CODE>,
277<CODE>USER</CODE>,
278and
279<CODE>AUTHTYPE</CODE>,
280are obtained from the original command.
281<P>The authentication filter will read the file transferred by the
282client authenticator,
283decrypt it,
284and place the decrypted values in the tempfile.
285It will then write
286a
287<CODE>from_id</CODE>
288string to FD 1,
289which will be read by the LPD server
290and used as the identification of the originating end of the connection.
291<P>If the originating program is an LPRng client,
292then the <CODE>from_id</CODE> value will be the user identification for the authentication protocol;
293if the originating program is an LPRng server,
294this value will be the server identificatio for the authentication protocol.
295<P>After writing this value,
296the transfer program will close FD 1.
297At this point the LPD server will use the contents of the tempfile to perform
298the various requested actions.
299<P>If the transfer step or authentication fails,  then the server
300authenticator
301will write an error message to FD 2 and exit with error code
302JFAIL.
303<P>The <CODE>lpd</CODE> server will record the
304authentication information returned by the server in the
305AUTHUSER permissions key.
306<P>The <CODE>lpd</CODE> server will perform the usual permissions checks,
307with the addition of the indicated permission keys and associated values.
308During this process,
309any error messages or logging information normally returned to client
310programs will be written to the authentication program FD 3.
311<P>The <CODE>lpd</CODE> server will carry out either the commands or
312print job specified in the temporary file.
313During this process,
314any error messages or logging information normally returned to client
315programs will be written to the authentication program FD 3.
316<P>At the end of the operations,
317the FD 3 file descriptor will be closed and the <CODE>lpd</CODE> server
318will wait for the authentication process to exit.
319<P>The server authentication process will read
320input from FD 3 until the end of input,
321and then transfer the received information to the client
322side authenticator.
323It may use the tempfile to hold the information during the
324reading and transfer process.
325<P>If the transfer of the logging information fails,
326then the authenticator process will exit with
327error code JFAIL, otherwise it will exit with error code JSUCC.
328<H2><A NAME="authforward"></A> <A NAME="authforwardid"></A> <A NAME="ss16.6">16.6 lpd Server to Server Authentication</A>
329</H2>
330
331<P>Options used:
332<UL>
333<LI> <CODE>auth_forward=</CODE><EM>Server to server authentication type</EM></LI>
334<LI> <CODE>auth_forward_id=</CODE><EM>Destination server authentication id</EM></LI>
335</UL>
336<P>The Server to Server authentication procedure is used by one server
337to forward jobs or commands to another server.  It should be noted
338that this forwarding operation puts an implicit trust in the security
339of the client to server to server chain.
340The <CODE>lpd</CODE> server will perform an authenticated transfer to
341another server when it either needs to transfer a job to a remote printer
342or when it needs to propagate a
343<CODE>lpq</CODE>,
344<CODE>lprm</CODE>,
345or
346<CODE>lprc</CODE> operation.
347<P>The procedure used to by the server to send commands and/or jobs
348is identical to that used by a client,
349with the minor modification that the server is identified as the
350originating endpoint of the connection,
351and the client authentication information is transferred in the file.
352<P>When propagating a command,
353the server uses the authentication information provided for the remote
354user by the client to server authentication program.
355When propagating or forwarding a job,
356the server will use the authentication information stored in the job
357control or hold file.
358This information will be represented as AUTHUSER in the following discussion.
359<P>The
360<CODE>auth_forward</CODE> option value specifies the type of authentication
361to be used to forward authentication,
362and the sending server uses the <CODE>auth_server_id</CODE> as its identification,
363and the <CODE>auth_forward_id</CODE> as the identification of the remote server.
364If there is no user authentication information,
365then a normal, non-authenticated transfer will be done.
366<P>The <CODE>auth_forward_filter</CODE> will be used for the forwarding
367operation.
368<P>The sending server takes the part of the client, and will
369transfer a job acting similar to a client.  The initial information
370transfer from the sending server will have the format:
371<BLOCKQUOTE><CODE>
372<PRE>
373\008printer F server_user authtype \n          - for commands
374\008printer F server_user authtype controlfilename\n - for print jobs
375</PRE>
376</CODE></BLOCKQUOTE>
377<P>The sending server will invoke its authenticator with the arguments:
378<BLOCKQUOTE><CODE>
379<PRE>
380auth_forward_filter -F -Pprinter -nserver_user -aauthtype \
381-Rremote_user -Ttempfile
382</PRE>
383</CODE></BLOCKQUOTE>
384<P>The tempfile containing the job or command information to be sent
385will have the form:
386<BLOCKQUOTE><CODE>
387<PRE>
388user_authentication_info\n
389\n
390&lt;normal file contents>
391</PRE>
392</CODE></BLOCKQUOTE>
393
394That is,
395the user authentication information is place in the tempfile.
396<P>The tempfile will be transferred to the remote server in the same fashion
397as for a user job.
398Any error or logging information returned will either be written to the
399<CODE>lpd</CODE> log file or to the previous <CODE>lpd</CODE> process in
400the transfer chain.
401<P>On the destination server the same operations
402for receiving an authentication request from a client
403is performed.
404The AUTHUSER, AUTHFROM, and AUTHTYPE values will be the derived from the
405authentication request as for the client.
406The AUTHSAMEUSER will compare the remote client authentication
407information and the authentication information used to create the job.
408<P>When the remote server receives the authentication request,
409it will carry out the same actions as for a client to server transfer,
410modified as follows:
411<OL>
412<LI>The <CODE>lpd</CODE> server will remove the first line of the transferred file,
413which contains the user authentication information,
414and set
415AUTHUSER to this value.</LI>
416<LI>Authentication is performed using the indicated values.</LI>
417<LI>If authentication succeeds,
418then the command line or print job control file is processed
419in the normal manner.
420This might now add more permissions values to tags,
421but the authentication information will not be changed.</LI>
422</OL>
423<H2><A NAME="ss16.7">16.7 Permission Checking</A>
424</H2>
425
426<P>The following patterns and values can be used
427to check that a particular type of authentication
428has been used,
429and what the authenticated user information is.
430<UL>
431<LI>AUTH - authentication is used</LI>
432<LI>AUTHTYPE=globmatch<BR>
433<P>This matches the type of authentication request.
434Built in values include
435<CODE>kerberos4</CODE>,
436<CODE>kerberos5</CODE>,
437and
438<CODE>pgp</CODE>.
439</LI>
440<LI>AUTHUSER=globmatch<BR>
441<P>The originating auth_user_id value.
442</LI>
443<LI>AUTHFROM=globmatch<BR>
444<P>When a command received from a server (i.e.- forwarded by a server),
445the value is the the forwarding servers authentication information,
446otherwise it is NULL.
447</LI>
448<LI>AUTHSAMEUSER<BR>
449<P>The originating auth_user_id value is compared to the value
450used to create the job.
451If they are identical,  the match succeeds.
452</LI>
453</UL>
454<P>For example,  to reject non-authenticated operations, the following
455line could be put in the permissions file.
456<BLOCKQUOTE><CODE>
457<PRE>
458REJECT NOT AUTH
459</PRE>
460</CODE></BLOCKQUOTE>
461<P>To reject server forwarded authentication as well, we use the following.
462Note that the <CODE>?</CODE>  forces a value to be present.
463<BLOCKQUOTE><CODE>
464<PRE>
465REJECT AUTH AUTHFROM=?*
466</PRE>
467</CODE></BLOCKQUOTE>
468<P>If a remote server has id information FFEDBEEFDEAF,  then the
469following will accept only forwarded jobs from this server.  Note
470that AUTHFROM will only match on authenticated transfers;
471FWDUSER will only match on forwarded transfers.
472<BLOCKQUOTE><CODE>
473<PRE>
474ACCEPT AUTH AUTHFROM=FFEDBEEFDEAF
475REJECT AUTH
476REJECT NOT AUTH
477</PRE>
478</CODE></BLOCKQUOTE>
479<P>To allow only authenticated users to remove jobs you can use:
480<BLOCKQUOTE><CODE>
481<PRE>
482ACCEPT AUTH SERVICE=R,M,L,P AUTHSAMEUSER
483REJECT AUTH
484REJECT NOT AUTH
485</PRE>
486</CODE></BLOCKQUOTE>
487<H2><A NAME="ss16.8">16.8 Using PGP for Authentication</A>
488</H2>
489
490<P>PGP is a well known encryption and authentication program.
491For more details see the web site
492<A HREF="http://www.pgp.net">http://www.pgp.net</A>
493or the ftp site
494<A HREF="ftp://ftp.pgp.net">ftp://ftp.pgp.net</A>.
495<P>LPRng has greatly simplified the use of PGP for authentication
496by building in support as follows.
497<P>The LPD server usually runs as user <CODE>daemon</CODE>,
498and opens files as
499<CODE>daemon</CODE>.
500The system administrator should establish a home directory for daemon,
501and use the PGP key generation facility to create a public and private key
502for the <CODE>daemon</CODE> user.
503By default,
504the PGP program puts the public and secret key rings in the
505<CODE>$HOME/.pgp/</CODE> directory,
506and sets them to be readable only by the user.
507You should log in temporarily as
508<CODE>daemon</CODE>,
509run the
510<CODE>pgp -kg</CODE>
511command,
512and then disable logins for <CODE>daemon</CODE>.
513<P>The user id chosen for the LPD server should be easily used to identify
514the server.
515For example,
516<CODE>lpr@hostname</CODE>,
517where hostname is the fully qualified domain name of the server is userful.
518<P>The next step is to place the passphrase in a file that is only readable by
519<CODE>daemon</CODE>,
520say
521<CODE>~daemon/.pgp/serverkey</CODE>,
522with owned by <CODE>daemon</CODE>,
523and with <CODE>600</CODE> permissions (read/write only by <CODE>daemon</CODE>).
524This is extremely important,
525as if any other users can read this file then security will be severely compromised.
526<P>The next step is to distribute the <CODE>lpr@hostname</CODE> public key to all users of the
527LPRng server,
528and to place the public keys of LPRng users in the <CODE>daemon</CODE> public key ring.
529This can be done using:
530<BLOCKQUOTE><CODE>
531<PRE>
532pgp -kxa userid destfile keyfile
533
534Example:
535> pgp -kxa lpr@astart /tmp/lprkey ~daemon/.pgp/pubring.pgp
536Key for user ID: lpr@astart
537512-bit key, key ID BB261B89, created 1999/01/01
538
539Transport armor file: /tmp/lprkey.asc
540Key extracted to file '/tmp/lprkey.asc'.
541</PRE>
542</CODE></BLOCKQUOTE>
543<P>User can add the <CODE>lpr@astart</CODE> key to their public key rings using:
544<BLOCKQUOTE><CODE>
545<PRE>
546pgp -ka /tmp/lprkey.asc
547</PRE>
548</CODE></BLOCKQUOTE>
549<P>Finally,  the administrator will need to add users public keys to the
550<CODE>daemon</CODE> users public key ring.  This can most easily be done by
551copying all the keys (in ASCII text form) to a single file
552(<CODE>/tmp/keyfile</CODE>)and using:
553<BLOCKQUOTE><CODE>
554<PRE>
555pgp -ka /tmp/keyfile ~daemon/.pgp/pubring.pgp
556</PRE>
557</CODE></BLOCKQUOTE>
558<H3><A NAME="pgpserverkey"></A> <A NAME="pgppassphrase"></A> <A NAME="pgppath"></A> PGP Configuration</H3>
559
560<P>Options used:
561<UL>
562<LI><CODE>pgp_path=</CODE><EM>path to PGP program</EM></LI>
563<LI><CODE>pgp_server_key=</CODE><EM>path to server passphrase file</EM></LI>
564<LI><CODE>pgp_passphrase=</CODE><EM>user passphrase file in PGPPATH or $HOME/.pgp</EM></LI>
565</UL>
566<P>The <CODE>pgp_path</CODE> option is the path to the PGP program.
567<P>The <CODE>pgp_server_key</CODE> is the path to the file containing the server passphrase.
568This file will be read by <CODE>lpd</CODE> to get the passphrase to unlock the server's
569keyring.
570<P>The LPRng client software will check to see if the
571<CODE>pgp_passphrase</CODE>  value (default <CODE>clientkey</CODE>) file in
572<CODE>$PGPPATH</CODE>, and if not present,
573then in <CODE>$HOME/.pgp</CODE>.
574By default, the <CODE>pass_env</CODE> option is <CODE>pass_env=PGPPASS,PGPPATH,PGPPASSFD</CODE>
575and will pass the values of the PGPPATH, PGPPASS,
576and PGPPASSFD environment variables.  See below for a method to use these.
577<P>Example printcap entry:
578<BLOCKQUOTE><CODE>
579<PRE>
580pr:
581    :lp=pr@wayoff
582    :auth=pgp
583    :auth_server_id=lpr@wayoff.com
584    :pgp_path=/usr/local/bin/pgp
585    :pgp_passphrase=.mypass
586</PRE>
587</CODE></BLOCKQUOTE>
588<P>One problem with using PGP is the need to have users input their
589passphrases.
590If the user is daring,  then the pass phrase can be put in the file:
591<CODE>  ~/.pgp/clientkey </CODE>.  This file will be read by the
592LPRng client program the contents passed to PGP as the passphrase.
593This file MUST have 0400 permissions (read only by user)
594and MUST owned by the user.
595<P>A more subtle solution is to use the <CODE>PGPPASSFD</CODE> environment variable
596facility.
597This causes PGP to read the passphrase from a file descriptor.
598If the user puts his passphrase in a file,  say
599<CODE>$(HOME)/.pgp/.hidden</CODE>,
600then the following shell script can be used.
601<BLOCKQUOTE><CODE>
602<PRE>
603#!/bin/sh
604#  /usr/local/bin/pgplpr script - passphrase in $(HOME)/.pgp/.hidden
605#
606PGPASSFD=3 3&lt;$(HOME)/.pgp/.hidden lpr "$@"
607</PRE>
608</CODE></BLOCKQUOTE>
609<H3>Permissions</H3>
610
611<P>If you wish to enforce the use of authentication,  then you
612should modify the lpd.perms file.  Here are some examples.
613<BLOCKQUOTE><CODE>
614<PRE>
615# force authentication
616REJECT NO AUTH
617REJECT NO AUTHTYPE=pgp
618</PRE>
619</CODE></BLOCKQUOTE>
620<H3>Client Configuration</H3>
621
622<P>One problem with using PGP is the need to have users input their
623passphrases.
624If the user is daring,  then the pass phrase can be put in the file:
625<CODE>  ~/.pgp/clientkey </CODE>.  This file will be read by the
626LPRng client program the contents passed to PGP as the passphrase.
627This file MUST have 0400 permissions (read only by user)
628and MUST owned by the user.
629<P>A more subtle solution is to use the <CODE>PGPPASSFD</CODE> environment variable
630facility.
631This causes PGP to read the passphrase from a file descriptor.
632If the user puts his passphrase in a file,  say
633<CODE>$(HOME)/.pgp/.hidden</CODE>,
634then the following shell script can be used.
635<BLOCKQUOTE><CODE>
636<PRE>
637#!/bin/sh
638#  /usr/local/bin/pgplpr script - passphrase in $(HOME)/.pgp/.hidden
639#
640PGPASSFD=3 3&lt;$(HOME)/.pgp/.hidden lpr "$@"
641</PRE>
642</CODE></BLOCKQUOTE>
643<P>By using the -V (verbose) flag,  users can see the results of the
644PGP interaction.
645<H2><A NAME="ss16.9">16.9 Using Kerberos 5 for Authentication</A>
646</H2>
647
648<P>LPRng Kerberos 5 authentication is
649based on the
650Kerberos5-1.0.5 release as of March 28, 1999.  This was obtained
651from MIT:
652<OL>
653<LI> ftp to ATHENA-DIST.MIT.EDU (18.159.0.42), login anonymous, password
654your_email_address</LI>
655<LI> Change into the directory '/pub/kerberos/</LI>
656<LI> Get the README files and look at the details of using FTP to get
657the distribution.  Note that there are also patches available
658which you might want to use.</LI>
659</OL>
660<P>Note that the distribution has only the most superficial documentation.
661There are no man pages for any of the support libraries, etc. etc.
662<H3><A NAME="kerberosforwardprincipal"></A> <A NAME="kerberosserverprincipal"></A> <A NAME="kerberosservice"></A> <A NAME="kerberosrenew"></A> <A NAME="kerberoslife"></A> <A NAME="kerberoskeytab"></A> Kerberos Installation Procedure</H3>
663
664<P>
665<OL>
666<LI> Get the Kerberos 5 distribution.</LI>
667<LI> Compile and install the distribution.</LI>
668<LI> Create the /etc/krb5.conf, /usr/local/var/krb5kdc/kdc.conf
669files using templates from the src/conf-files subdirectory.
670See the Installation notes and the System Administrators Guide.</LI>
671<LI> Don't forget to create the /usr/local/var/krb5kdc/kdc.acl file;
672I did and it took me HOURS to figure out what was wrong...</LI>
673<LI> Start up the KDC and KADMIN servers - you might want to put
674the following in your rc.local or equivalent file:
675<BLOCKQUOTE><CODE>
676<PRE>
677if [ -f /etc/krb5.conf -a -f /usr/local/var/krb5kdc/kdc.conf  ]; then
678    echo -n ' krb5kdc ';    /usr/local/sbin/krb5kdc;
679    echo -n ' kadmind ';    /usr/local/sbin/kadmind;
680fi
681</PRE>
682</CODE></BLOCKQUOTE>
683</LI>
684<LI> use kadmin (or kadmin.local) to create principals for your users.</LI>
685<LI> Now you need to create principals for the lprng servers.  I have been
686using
687<CODE>lpr/hostname.REALM</CODE>
688as a template-
689i.e.
690<CODE>lpr/astart1.astart.com@ASTART.COM</CODE>
691for an example.
692<P>Do this for all the servers.  You should use fully qualified domain names
693for the principals.
694</LI>
695<LI> Now you need to extract the keytab for each of the servers:
696<BLOCKQUOTE><CODE>
697<PRE>
698kadmin ...
699ktadd -k file_for_host  lpr/hostname.REALM
700</PRE>
701</CODE></BLOCKQUOTE>
702
703<P>The 'file_for_host' contains the keytab information, which is the
704equivalent information for the server.
705</LI>
706<LI> Copy the 'file_for_host' to the server (you might want to encrypt
707or use a secure transfer for this).  You need to put this in
708<CODE>/etc/lpd.keytab</CODE>.
709Make sure that this file is readable only by user <CODE>daemon</CODE>,
710as it will try to read the file to get its server key.
711<BLOCKQUOTE><CODE>
712<PRE>
713#> ls -l /etc/lpd.keytab
714-rw-------  1 daemon  wheel  128 Jan 16 11:06 /etc/lpd.keytab
715</PRE>
716</CODE></BLOCKQUOTE>
717</LI>
718<LI> Modify (uncomment) the following entries in <CODE>/etc/lpd.conf</CODE>:
719<BLOCKQUOTE><CODE>
720<PRE>
721auth=kerberos5
722kerberos_keytab=/etc/lpd.keytab
723kerberos_service=lpr
724# optional - explicit prinipal name for server, used by clients
725#kerberos_server_principal=lpr/hostname@REALM
726# optional - forwarding to another server with authentication
727# kerberos_forward_principal=lpr/hostname@REALM
728</PRE>
729</CODE></BLOCKQUOTE>
730
731<P>The
732<CODE>kerberos_keytab</CODE>
733entry is the location of the keytab file;
734kerberos_service is the service that will be used to generate
735a server principal name.
736This is the
737<CODE>lpr</CODE>
738used in the above key generation operations.
739<P>kerberos_life and kerberos_renew determine the lifetime and renewability
740of Kerberos tickets.  The lifetime defaults to 10
741hours,  and the ticket will be refreshed when it expires
742if necessary.
743</LI>
744<LI>You might like to check out the authentication using the sclient and
745sserver test programs.  These link in the kerberos authentication and
746allow you to test it without all of LPD being involved.
747<BLOCKQUOTE><CODE>
748<PRE>
749cd LPRng/src; make sserver sclient
750usage: sserver [-D] [-p port] [-s service] [-S keytab] file
751   -D turns debugging on
752   1. opens TCP   port 'port' (default 1234)
753   2. waits for a connection
754   3. when a connection comes in,  uses 'service' to get the principal
755       name of the server,  and looks up the key in keytab file.
756   4. Goes through the kerberos authentication.
757   5. Copies the input from remote server to 'file'
758   6. exits.
759 usage: sclient [-D] [-p port] [-s service] host file
760   -D turns debugging on
761   1. opens a connection to port on host (i.e. - host%port)
762   2. does the authentication.  You must have done kinit to get
763       for your ticket to be valid.
764   3. sends the file to remote host.
765</PRE>
766</CODE></BLOCKQUOTE>
767
768<P>To test this, start up sserver on one host/window, then run sclient.
769The error messages are pretty straight forward,
770and when in doubt,
771look at the source code which has more than sufficient information.
772</LI>
773</OL>
774<H3>Testing Transfers</H3>
775
776<P>Restart the server,
777and then try getting information using LPQ.
778<P>You can turn on tracing at LPQ to see if authentication is being used
779and is working:
780<BLOCKQUOTE><CODE>
781<PRE>
782lpq -Dnetwork,database
783</PRE>
784</CODE></BLOCKQUOTE>
785<P>If the lpq works,
786then try send a job and see if the transfer is successful.
787<H3>Explicit Server Principal Name</H3>
788
789<P>If you are using printers in different domains,  then you can
790put the explicit principal name of the server in the printcap file,
791using the server_principal entry.  For example:
792<BLOCKQUOTE><CODE>
793<PRE>
794lp_offsite
795    :lp=printer@erehwon.org
796    :auth=kerberos5
797    :auth_server_id=lpr/erehwon.org@BLUESKY.ORG
798</PRE>
799</CODE></BLOCKQUOTE>
800<H2><A NAME="ss16.10">16.10 Using Kerberos 4 for Authentication</A>
801</H2>
802
803<P>LPRng has built-in support for the Project Athena extensions to the
804RFC1179 protocol.
805These provide an extremely simple authentication protocol
806using an initial credential exchange.
807After the initial exchange the usual RFC1179 protocol is used.
808<P>To enable Kerberos 4 support,
809you must modify the <CODE>LPRng/src/Makefile</CODE> and recompile
810the LPRng code.
811You should be aware that this is not a supported extension,
812and is provided as a courtesy to MIT and Project Athena.
813<HR>
814<A HREF="LPRng-HOWTO-17.html">Next</A>
815<A HREF="LPRng-HOWTO-15.html">Previous</A>
816<A HREF="LPRng-HOWTO.html#toc16">Contents</A>
817</BODY>
818</HTML>
Note: See TracBrowser for help on using the repository browser.