CUPS 1.3 adds Kerberos support which allows you to use a Key Distribution Center (KDC) for authentication on your local CUPS server and when printing to a remote authenticated queue. This document describes how to configure CUPS to use Kerberos authentication and provides helpful links to the MIT help pages for configuring Kerberos on your systems and network.
Note:In order to use Kerberos-authenticated shared printers, you must be running a version of MIT Kerberos with the krb5_cc_new_unique() function or Heimdal Kerberos. Otherwise, only local Kerberos authentication is supported.
Before you can use Kerberos with CUPS, you will need to configure Kerberos on your system and setup a system as a KDC. Because this configuration is highly system and site-specific, please consult the following on-line resources provided by the creators of Kerberos at the Massachussetts Institute of Technology (MIT):
The Linux Documentation Project also has a HOWTO on Kerberos:
Once you have configured Kerberos on your system(s), you can then enable Kerberos authentication by selecting the Negotiate authentication type. The simplest way to do this is using the cupsctl(8) command:
cupsctl DefaultAuthType=Negotiate
You can also enable Kerberos from the web interface by checking the Use Kerberos Authentication box and clicking Change Settings:
http://localhost:631/admin
After you have enabled Kerberos authentication, add AuthType Default lines to the policies you want to protect with authentication, for example:
Listing 1: Remote Printer Operation Policy 1 <Policy remote> 2 # Job-related operations must be done by the owner or an administrator... 3 <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job> 4 AuthType Default 5 Require user @OWNER @SYSTEM 6 Order deny,allow 7 </Limit> 8 9 # Require authentication when creating jobs 10 <Limit Create-Job Print-Job Print-URI> 11 AuthType Default 12 Require valid-user 13 Order deny,allow 14 </Limit> 15 16 # All administration operations require an administrator to authenticate... 17 <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Set-Default> 18 AuthType Default 19 Require user @SYSTEM 20 Order deny,allow 21 </Limit> 22 23 # All printer operations require a printer operator to authenticate... 24 <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs> 25 AuthType Default 26 Require user varies by OS 27 Order deny,allow 28 </Limit> 29 30 # Only the owner or an administrator can cancel or authenticate a job... 31 <Limit Cancel-Job CUPS-Authenticate-Job> 32 Require user @OWNER @SYSTEM 33 Order deny,allow 34 </Limit> 35 36 <Limit All> 37 Order deny,allow 38 </Limit> 39 </Policy>
CUPS implements Kerberos over HTTP using GSS API and the service name "ipp". Delegation of credentials, which is needed when printing to a remote/shared printer with Kerberos authentication, is currently only supported when using a single KDC on your network.
After getting a user's Kerberos credentials, CUPS strips the "@KDC" portion of the username so that it can check the group membership locally, effectively treating the Kerberos account as a local user account.