17.15. Using SSL for Authentication

LPRng has built-in support for using SSL as an authentication method. The implementation is based on OpenSSL 0.9.6c and the associated libraries as of of 3 June 2002. The distribution was obtained from the OpenSSL group from the http://www.openssl.org Website.

SSL authentication is based a private key/secret key technology, where the various keys are placed in files (or data structures) called certificates or certs, and the certificates are signed by calculating a checksum over the certificate, encypting the checksum and other information using the private key of a signing certificate. The top level or root certificate is signed by its own key; lower level signing certificates can be created which are signed by the top level or root certificate, and in turn can sign other signing certificates. User certificates can be created and signed by a signing certificate which can be used in the SSL protocol for authentication purposes. The following objects are needed to use SSL encryption.

  1. A top level or root certificates and a set of signing certificates. By convention, these are stored in the /etc/lpd/ssl.ca directory; the root certificate is usually the ca.crt file.

  2. Each server has a certificate and private key file which are used to identify the server and sign the SSL messages. The private key file is usually stored in an encrypted form and a password is required unlock the file. By convention, the server files are stored in the /etc/lpd/ssl.server directory; the server.crt file contains the server certificate and (encrypted) private key; the server.pwd file contains the password to decrypt the private key.

  3. Each user has a certificate and private key file which are used to identify the user and sign the SSL messages. The private key file is usually stored in an encrypted form and a password is required unlock the file. By convention, the user files are stored in the ${HOME}/.lpr directory; the client.crt file contains the client certificate and (encrypted) private key; the client.pwd file contains the password to decrypt the private key.

  4. A utility to create and manage the SSL certificate files.

The locations of the SSL files can be specified by various options to configure facility and by values in the the lpd.conf file.

17.15.1. Certificate Management

The lprng_cert utility is used to set up the various directories and files required for SSL authentication. This code was derived from similar facilities developed for the mod_ssl extensions to the Apache web server. This interactive utility is very verbose and has extensive comments and assistance.

h110: {111} % lprng_certs
lprng_certs -- LPRng SSL Certificate Management
Copyright (c) 2002 Patrick Powell
Based on CCA by Ralf S. Engelschall
(Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)

usage: lprng_certs option
  init              - make directory structure
  newca             - make new root CA and default values for certs
  defaults          - set new default values for certs
  gen               - generate user, server, or signing cert
  verify [cert]     - verify cert file
  index [dir]       - make certificate index files in directory dir
  encrypt keyfile   - set or change password on private key file

The lprng_certs init option will create the necessary directories for the LPRng software on a system. The lprng_certs newca option will create the root level certificate and set up a set of defaults for the creation of other certificates. The lprng_certs defaults option allows viewing and editting of the various default values. The lprng_certs gen option is used to create and sign new certificate files. The OpenSSL software assumes that the file names of the signing certificate files have a special format; the lprng_certs index creates links of the required format to the certificate files. Finally, the lprng_certs verify and the lprng_certs encrypt facilities can be used to verify that the certificate files have the proper format and to change the private key password respectively.

17.15.2. Creating Root Certificate

The lprng_certs newca option is used to create a new root signing certificate and to establish defaults.

h110: {112} #> lprng_certs newca
lprng_certs -- LPRng SSL Certificate Management
Copyright (c) 2002 Patrick Powell
Based on CCA by Ralf S. Engelschall
(Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)

INITIALIZATION - SET DEFAULTS
...  
______________________________________________________________________

STEP 1: Generating RSA private key for CA (1024 bit)
______________________________________________________________________

STEP 2: Generating X.509 certificate signing request for CA
______________________________________________________________________

STEP 3: Generating X.509 certificate for CA signed by itself
______________________________________________________________________

RESULT:
/etc/lpd/ssl.ca/ca.crt:
/C=US/ST=California/L=San Diego/O=Astart/OU=Certificate Authority/\
 CN=Astart CA/Email=id@astart.com
error 18 at 0 depth lookup:self signed certificate
OK
______________________________________________________________________

STEP 4. Encrypting RSA private key with a pass phrase for security
The contents of the certificate key file (the generated private
key) should be echo kept secret, especially so if it is used to
sign Certificates or for User authentication.  SSL experts strongly
recommend you to encrypt the key file with a Triple-DES cipher and
a Pass Phrase.  When using LPRng, you provide the password via a
file specified by the LPR_SSL_PASSWORD environent variable, or in
the ${HOME}/.lpr/client.pwd file.  The LPD server uses the
ssl_server_password_file option to specify the location of a file
containing the password.  See the LPRng Reference Manual for details, or the
printcap(5) man page.

key file is /etc/lpd/ssl.ca/ca.key
Encrypt the private key now? [Y/n]: y
Fine, you're using an encrypted private key to sign CERTS.

17.15.3. Creating Client and Server Certificates

The lprng_certs gen option allows the creation of client and server identification certificates. By convention, these are created in a default directory and the system administrator then copies them to the appropriate client or server directory.

h110: {112} #> lprng_certs gen
lprng_certs -- LPRng SSL Certificate Management
Copyright (c) 2002 Patrick Powell
Based on CCA by Ralf S. Engelschall
(Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)

CERTIFICATE GENERATION
What type of certificate? User/Server/Signing Authority/Help? [u/s/a/H]
Create in '/etc/lpd/ssl.certs' [return for yes, or specify directory]
CERT name 'user-10'? [return for yes, or specify name] papowell
CERT name 'papowell'? [return for yes, or specify name] 
Creating papowell in /etc/lpd/ssl.certs
Sign with Certificate '/etc/lpd/ssl.ca/ca.crt' \
   [return for yes, ? for list, or specify cert file] ?
Possible CERTS in directory '/etc/lpd/ssl.ca' are:
/etc/lpd/ssl.ca/ca.crt
/etc/lpd/ssl.ca/signer1.crt
/etc/lpd/ssl.ca/tsign.crt
Sign with Certificate '/etc/lpd/ssl.ca/ca.crt'  \
  [return for yes, ? for list, or specify cert file] signer1
Match Found /etc/lpd/ssl.ca/signer1.crt
Sign with Certificate '/etc/lpd/ssl.ca/signer1.crt'  \
  [return for yes, ? for list, or specify cert file]
Private key in /etc/lpd/ssl.ca/signer1.crt

Generating user Certificate [papowell] 

STEP 1: Generating RSA private key for user (1024 bit)

STEP 2: Generating X.509 certificate signing request for user
....

STEP 3: Generating X.509 certificate signed by /etc/lpd/ssl.ca/signer1.crt
...

RESULT:
/etc/lpd/ssl.certs/papowell.crt: OK

STEP 4. Enrypting RSA private key /etc/lpd/ssl.certs/papowell.key
  with a pass phrase for security

Encrypt the private key now? [Y/n]: Fine, you're using an encrypted
  private key to sign CERTS.

STEP 5: Combine CERT and KEY file
Generate single CERT and KEY file? [Y/n] 

Use the following commands to examine the CERT and KEY files:
   openssl x509 -text -in /etc/lpd/ssl.certs/papowell.crt
   openssl rsa -text -in /etc/lpd/ssl.certs/papowell.crt

After the certificate file has been created, then it should be copied to the appropriate location: /etc/lpd/ssl.server/server.crt and the password in /etc/lpd/ssl.server/server.pwd, for a server or ${HOME}/.lpr/client.crt and the password in ${HOME}/.lpr/client.pwd for a user.

17.15.4. Creating Signing Certificates

Having only one signing certificate, i.e. - the root certificate, may make it difficult to delegate authority for the creation of user certificates and/or server certificates. The lprng_certs gen facility can be used to create a certificate that can be used to sign other certificates.

17.15.5. Permissions and Certificate Revocation

The certificate revocation facility is not implemented in LPRng, due to various technical and management issues. Instead, the AUTHUSER and AUTHCA and