Discussion:
cups user authentication for remote users: make it ask for a password!
Paul Johnson
2010-02-03 19:02:53 UTC
Permalink
I can't understand cups configuration for a network server. I want to
print from my laptop to my desktop, and it works fine to enable
sharing in cups.

However, that makes my desktop printer available to everybody on the
subnet. There does not appear to be a way to specify "all users on my
desktop computer" plus "paul on a remote system when he gives a
password". The cups user control thing seems to have no password
authentication framework.

Can you advise?
--
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas
NoOp
2010-02-04 19:09:42 UTC
Permalink
Post by Paul Johnson
I can't understand cups configuration for a network server. I want to
print from my laptop to my desktop, and it works fine to enable
sharing in cups.
However, that makes my desktop printer available to everybody on the
subnet. There does not appear to be a way to specify "all users on my
desktop computer" plus "paul on a remote system when he gives a
password". The cups user control thing seems to have no password
authentication framework.
I think you are mixing references to 'network server' vs desktop
attached printer?

In System|Printer|Properties|Access Control you can 'Deny printing for
everyone except these users'. Alternately, you can simply turn off
shareing and use the Internet Printing Protocol (IPP) to access the
printer remotely. IPP supports encryption & compression[1].

Note you may have to specify

These might help:
http://www.cups.org/
http://www.cups.org/documentation.php
http://www.cups.org/documentation.php/network.html
[Internet Printing Protocol (IPP)]
https://help.ubuntu.com/9.10/serverguide/C/cups.html
https://help.ubuntu.com/community/NetworkPrintingWithUbuntu

[1] http://www.cups.org/documentation.php/doc-1.4/security.html
Encryption Issues
Paul Johnson
2010-02-06 03:19:54 UTC
Permalink
Post by NoOp
I can't understand cups configuration for a network server. ?I want to
print from my laptop to my desktop, and it works fine to enable
sharing in cups.
However, that makes my desktop printer available to everybody on the
subnet. ?There does not appear to be a way to specify "all users on my
desktop computer" plus "paul on a remote system when he gives a
password". The cups user control thing seems to have no password
authentication framework.
I think you are mixing references to 'network server' vs desktop
attached printer?
Well, I don't think I'm confusing the two. I think they are ACTUALLY
the same. My desktop computer is running CUPS and is acting as a
print server.

Observe the doc you refer me to

https://help.ubuntu.com/community/NetworkPrintingWithUbuntu

Ubuntu Print Server (running on my desktop) makes the printer
available on the subnet. I need that so I can print from my laptop.

It does not provide a way for me to keep out other users on the subnet.

Anybody who has a print client that can scan the subnet will see my
printer and can send jobs to it.

I agree with you that the user identity option in Ubuntu's
system-config-printer is intended for local users on the desktop
"server" system itself. And that's my point. There is no way to keep
out other users on the subnet.

Am I just reading all this wrong? If so, tell me how to secure my
desktop "print server" to stop neighbors on the network from sending
jobs to me. For the life of me, I can't see how to do it.

I see where I could use iptables to block some IP addresses, but since
my PC is on DHCP, and it could get any different number, that's
impractical.

pj
Post by NoOp
In System|Printer|Properties|Access Control you can 'Deny printing for
everyone except these users'. Alternately, you can simply turn off
shareing and use the Internet Printing Protocol (IPP) to access the
printer remotely. IPP supports encryption & compression[1].
Note you may have to specify
http://www.cups.org/
?http://www.cups.org/documentation.php
?http://www.cups.org/documentation.php/network.html
? [Internet Printing Protocol (IPP)]
https://help.ubuntu.com/9.10/serverguide/C/cups.html
https://help.ubuntu.com/community/NetworkPrintingWithUbuntu
[1] http://www.cups.org/documentation.php/doc-1.4/security.html
Encryption Issues
--
ubuntu-users mailing list
ubuntu-users at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
--
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas
Johnneylee Rollins
2010-02-06 03:25:15 UTC
Permalink
Post by Paul Johnson
Post by NoOp
I can't understand cups configuration for a network server. ?I want to
print from my laptop to my desktop, and it works fine to enable
sharing in cups.
However, that makes my desktop printer available to everybody on the
subnet. ?There does not appear to be a way to specify "all users on my
desktop computer" plus "paul on a remote system when he gives a
password". The cups user control thing seems to have no password
authentication framework.
I think you are mixing references to 'network server' vs desktop
attached printer?
Well, I don't think I'm confusing the two. I think they are ACTUALLY
the same. ?My desktop computer is running CUPS and is acting as a
print server.
Observe the doc you refer me to
https://help.ubuntu.com/community/NetworkPrintingWithUbuntu
Ubuntu Print Server ?(running on my desktop) makes the printer
available on the subnet. I need that so I can print from my laptop.
It does not provide a way for me to keep out other users on the subnet.
Anybody who has a print client that can scan the subnet will see my
printer and can send jobs to it.
I agree with you that the user identity option in Ubuntu's
system-config-printer is intended for local users on the desktop
"server" system itself. And that's my point. There is no way to keep
out other users on the subnet.
Am I just reading all this wrong? ?If so, tell me how to secure my
desktop "print server" to stop neighbors on the network from sending
jobs to me. ?For the life of me, I can't see how to do it.
I see where I could use iptables to block some IP addresses, but since
my PC is on DHCP, and it could get any different number, that's
impractical.
pj
1st order of business, don't top post.
Also, linux isn't like windows. It has the ability to handle multiple
users. You can create a user for your laptop to connect and print
with. It's really simple.

My diagnosis (I've been watching nip/tuck) is to add a user for you to
print with. I might be completely off though, I don't ever print with
computers and printers.

~SpaceGhost
NoOp
2010-02-06 03:56:42 UTC
Permalink
Post by Paul Johnson
Post by NoOp
Post by Paul Johnson
I can't understand cups configuration for a network server. I want to
print from my laptop to my desktop, and it works fine to enable
sharing in cups.
However, that makes my desktop printer available to everybody on the
subnet. There does not appear to be a way to specify "all users on my
desktop computer" plus "paul on a remote system when he gives a
password". The cups user control thing seems to have no password
authentication framework.
I think you are mixing references to 'network server' vs desktop
attached printer?
Well, I don't think I'm confusing the two. I think they are ACTUALLY
the same. My desktop computer is running CUPS and is acting as a
print server.
OK.
Post by Paul Johnson
Observe the doc you refer me to
https://help.ubuntu.com/community/NetworkPrintingWithUbuntu
Ubuntu Print Server (running on my desktop) makes the printer
available on the subnet. I need that so I can print from my laptop.
It does not provide a way for me to keep out other users on the subnet.
Anybody who has a print client that can scan the subnet will see my
printer and can send jobs to it.
Not if you turn off sharing and connect directly using ipp as I've
already advised. Give it a try eh? And if it doesn't work I'm happy to
take emails off list.
Post by Paul Johnson
I agree with you that the user identity option in Ubuntu's
system-config-printer is intended for local users on the desktop
"server" system itself. And that's my point. There is no way to keep
out other users on the subnet.
Sure there is, just use the gui properties as I've suggested; see below.
...
Post by Paul Johnson
Post by NoOp
In System|Printer|Properties|Access Control you can 'Deny printing for
everyone except these users'. Alternately, you can simply turn off
shareing and use the Internet Printing Protocol (IPP) to access the
printer remotely. IPP supports encryption & compression[1].
...

Do you not know, nor have the path/ip to your desktop? Obviously you do
otherwise you wouldn't be able to access the desktop/server/printer via
your laptop on the network & wouldn't be complaining about the above
being available to all on the same network. So figure out the proper
path/name/ip to the desktop, turn off sharing, enable ipp (that's port
631) on the router and/or ask your sysadmin to enable via port
forwarding, and print.
Linda
2010-02-13 04:21:31 UTC
Permalink
Post by Paul Johnson
Ubuntu Print Server (running on my desktop) makes the printer
available on the subnet. I need that so I can print from my laptop.
It does not provide a way for me to keep out other users on the subnet.
Anybody who has a print client that can scan the subnet will see my
printer and can send jobs to it.
I agree with you that the user identity option in Ubuntu's
system-config-printer is intended for local users on the desktop
"server" system itself. And that's my point. There is no way to keep
out other users on the subnet.
Am I just reading all this wrong? If so, tell me how to secure my
desktop "print server" to stop neighbors on the network from sending
jobs to me. For the life of me, I can't see how to do it.
I see where I could use iptables to block some IP addresses, but since
my PC is on DHCP, and it could get any different number, that's
impractical.
pj
You can alter /etc/cuspd.conf to deny access to anyone you don't want
printing from your subnet
There also is a way to make the cups server silent so it does not
broadcast its presence. I don't
remember where but you use to have to turn it on if you wanted it. It
should be in the CUPS manual somewhere

below is a link with inforamtion on the cupsd.conf file. Be sure to make
a copy before you play with it.

http://www.cups.org/documentation.php/ref-cupsd-conf.html

Linda

Loading...