doc/help/kerberos.html

   1 <HTML>
   2 <!-- SECTION: Getting Started -->
   3 <HEAD>
   4         <TITLE>Using Kerberos Authentication</TITLE>
   5 </HEAD>
   6 <BODY>
   7
   8 <P>CUPS 1.3 adds Kerberos support which allows you to use a Key Distribution
   9 Center (KDC) for authentication on your local CUPS server and when printing
  10 to a remote authenticated queue. This document describes how to configure
  11 CUPS to use Kerberos authentication and provides helpful links to the MIT
  12 help pages for configuring Kerberos on your systems and network.</P>
  13
  14 <BLOCKQUOTE><B>Note:</B>
  15
  16 <P>In order to use Kerberos-authenticated shared printers, you <EM>must</EM> be
  17 running a version of MIT Kerberos with the <TT>krb5_cc_new_unique()</TT>
  18 function or Heimdal Kerberos. Otherwise, only local Kerberos authentication
  19 is supported.</P>
  20
  21 </BLOCKQUOTE>
  22
  23
  24 <H2 CLASS="title"><A NAME="KRB5">Configuring Kerberos on Your System</A></H2>
  25
  26 <P>Before you can use Kerberos with CUPS, you will need to configure
  27 Kerberos on your system and setup a system as a KDC. Because this
  28 configuration is highly system and site-specific, please consult
  29 the following on-line resources provided by the creators of Kerberos
  30 at the Massachussetts Institute of Technology (MIT):</P>
  31
  32 <UL>
  33
  34         <LI><A HREF="http://web.mit.edu/kerberos/">Kerberos: The Network
  35         Authentication Protocol</A></LI>
  36
  37         <LI><A HREF="http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html">Kerberos
  38         on Mac OS X Frequently Asked Questions</A></LI>
  39
  40 </UL>
  41
  42 <P>The Linux Documentation Project also has a HOWTO on Kerberos:</P>
  43
  44 <UL>
  45
  46         <LI><A HREF="http://tldp.org/HOWTO/html_single/Kerberos-Infrastructure-HOWTO/">Kerberos
  47         Infrastructure HOWTO</A></LI>
  48
  49 </UL>
  50
  51
  52 <H2 CLASS="title"><A NAME="CUPS">Configuring CUPS to Use Kerberos</A></H2>
  53
  54 <P>Once you have configured Kerberos on your system(s), you can then
  55 enable Kerberos authentication by selecting the <tt>Negotiate</tt>
  56 authentication type. The simplest way to do this is using the
  57 <tt>cupsctl(8)</tt> command:</P>
  58
  59 <PRE CLASS="command">
  60 <KBD>cupsctl DefaultAuthType=Negotiate</KBD>
  61 </PRE>
  62
  63 <P>You can also enable Kerberos from the web interface by checking the
  64 <VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change
  65 Settings</VAR>:</P>
  66
  67 <PRE CLASS="command">
  68 http://localhost:631/admin
  69 </PRE>
  70
  71 <P>After you have enabled Kerberos authentication, add <tt>AuthType Default</tt>
  72 lines to the policies you want to protect with authentication, for example:</P>
  73
  74 <PRE CLASS="command">
  75 <EM>Listing 1: <A NAME="LISTING01">Remote Printer Operation Policy</A></EM>
  76
  77  1    &lt;Policy remote>
  78  2      # Job-related operations must be done by the owner or an
  79       administrator...
  80  3      &lt;Limit Send-Document Send-URI Hold-Job Release-Job
  81       Restart-Job Purge-Jobs Set-Job-Attributes
  82       Create-Job-Subscription Renew-Subscription
  83       Cancel-Subscription Get-Notifications Reprocess-Job
  84       Cancel-Current-Job Suspend-Current-Job Resume-Job
  85       CUPS-Move-Job>
  86  4        AuthType Default
  87  5        Require user @OWNER @SYSTEM
  88  6        Order deny,allow
  89  7      &lt;/Limit>
  90  8
  91  9      # Require authentication when creating jobs
  92 10      &lt;Limit Create-Job Print-Job Print-URI>
  93 11        AuthType Default
  94 12        Require valid-user
  95 13        Order deny,allow
  96 14      &lt;/Limit>
  97 15
  98 16      # All administration operations require an administrator
  99       to authenticate...
 100 17      &lt;Limit CUPS-Add-Printer CUPS-Delete-Printer
 101       CUPS-Add-Class CUPS-Delete-Class CUPS-Set-Default>
 102 18        AuthType Default
 103 19        Require user @SYSTEM
 104 20        Order deny,allow
 105 21      &lt;/Limit>
 106 22
 107 23      # All printer operations require a printer operator
 108       to authenticate...
 109 24      &lt;Limit Pause-Printer Resume-Printer
 110       Set-Printer-Attributes Enable-Printer Disable-Printer
 111       Pause-Printer-After-Current-Job Hold-New-Jobs
 112       Release-Held-New-Jobs Deactivate-Printer Activate-Printer
 113       Restart-Printer Shutdown-Printer Startup-Printer
 114       Promote-Job Schedule-Job-After CUPS-Accept-Jobs
 115       CUPS-Reject-Jobs>
 116 25        AuthType Default
 117 26        Require user <em>varies by OS</em>
 118 27        Order deny,allow
 119 28      &lt;/Limit>
 120 29
 121 30      # Only the owner or an administrator can cancel or
 122       authenticate a job...
 123 31      &lt;Limit Cancel-Job CUPS-Authenticate-Job>
 124 32        Require user @OWNER @SYSTEM
 125 33        Order deny,allow
 126 34      &lt;/Limit>
 127 35
 128 36      &lt;Limit All>
 129 37        Order deny,allow
 130 38      &lt;/Limit>
 131 39    &lt;/Policy>
 132 </PRE>
 133
 134
 135 <H2 CLASS="title"><A NAME="IMPLEMENT">Implementation Information</A></H2>
 136
 137 <P>CUPS implements Kerberos over HTTP using GSS API and the service name
 138 "ipp". Delegation of credentials, which is needed when printing to a
 139 remote/shared printer with Kerberos authentication, is currently only supported
 140 when using a single KDC on your network.</P>
 141
 142 <P>After getting a user's Kerberos credentials, CUPS strips the "@KDC"
 143 portion of the username so that it can check the group membership locally,
 144 effectively treating the Kerberos account as a local user account.</P>
 145
 146 </BODY>
 147 </HTML>