LPRng Reference Manual: 24 Sep 2004 (For LPRng-3.8.28) | ||
---|---|---|
Prev | Chapter 17. Permissions and Authentication | Next |
One of the major problems in a print spooler system is providing privacy and authentication services for users. One method is to construct a specific set of protocols which will be used for providing the privacy or authentication; another is to provide a simple interface to a set of tools that will do the authentication and/or encryption.
LPRng provides native support for the MIT Kerberos 4 extensions and Kerberos 5 authentication.
LPRng uses the OpenSSL libraries to support SSL authentication and encrypted data transfers.
LPRng has native support for the PGP (Pretty Good Privacy) program and can sign and optionally encrypt command and responses between servers and clients. Due to legal restrictions, an external PGP program must be used for this purpose.
A simple MD5 hash based authentication scheme is also provided as an example to illustrate how new or different authentication methods can be adddd.
Finally, LPRng provide a general purpose interface allowing users to insert their own authentication methods, either at the program level or at the code level.
A careful study of the authentication problem shows that it should be done during reception of commands and/or jobs from a remote user and/or spooler. At this time the following must be done:
The received command must be checked for consistency, and the remote user and host must be determined.
The remote user and host must be authenticated.
The command and/or spooling operation must be carried out.
The results must be returned to the remote system.
To accomplish these goals, the following printcap entries are used:
auth=AUTHTYPE - pgp, kerberos, etc
AUTHTYPE_path=pathname - the pathname of a program to be used to support this authentication type
AUTHTYPE_id=identification - the identification of the server for the authentication method. For example, the kerberos principal for the server, the PGP key id for the server, and so forth.
AUTHTYPE_server_key=identification - location of a file on the server where a key used to unlock or encrypt a message is kept.
AUTHTYPE_forward_id=identification - the identification of the remote destination, This is used by the server when forwarding a job to a remote destination. By default, the AUTHTYPE_id value is used by the server as its identification.
AUTHTYPE_default_client=identification - when forwarding a job and the job arrived via an unauthenticated method, use this as the default client identification.