Home
Software
Pictures
Classes
People
Links
E-mail

LPRng with Kerberos

I've been having a lot of fun trying to setup LPRng to be a kerberized print server. Of course, other people have already done all the hard work of integrating Kerberos into the LPRng code base, and there are some HOWTO pages detailing exactly how to enable it in the build configuration and compile it. Being at MIT, I could have just installed Athena and had their configuration just automagically make the printer work (although I don't fully trust their configuration now that I've gone through the process of getting this working and look at their files).

The first step, and the easiest at the time for me, was to just get the printer working locally with LPRng. This is different for every printer, so I won't really detail what I had to do for this part. In my case, running Debian and using an HP OfficeJet, I had to install hpijs and hpoj and configure them. (Update 2005/04/08) I'm now using an HP LaserJet IIIp which doesn't require hpijs or hpoj but Just Works (tm).

As a bit of a disclaimer, I'm not 100% certain that every configuration option I enabled was necessary, nor am I absolutely sure that I have completely locked down my printer so that only I can print to it.

To use kerberos, make sure you have a keytab that is readable by lpd. Make sure you know the principal inside that keytab also.

On the print server, my lpd.conf contains use_auth and default_auth lines telling the server to use kerberos. kerberos_keytab points to the location of the keytab file. kerberos_service is where knowing what principal the keytab is for comes in handy. Its value should be the service of the principal in the keytab. So if your principal is host/engineer.mit.edu, kerberos_service should be host. If your principal is daemon/engineer.mit.edu, kerberos_service=daemon. The print clients will need to know this value eventually also. The user_is_authuser line is an attempt to ignore the name of the user that is in the control file or who requested the job and instead get at the user whose kerberos principal is behind the command.

Next up on the print server is lpd.perms which is attempting to allow only me to print and control my printer. Since it's sitting in my closet, I don't really want to let other people print to it, but I also want to be able to print to it from anywhere that I've got Kerberos tickets (hence doing all of this in the first place) even though my local username might be different (i.e. I'm rradez on Athena, rob on my laptop, robr on some other systems). The bottom line is a pretty clear default deny policy. It also makes it kind of hard to figure out what kind of permissions are necessary to actually do things. Actually, so does a default accept. The first line, accepting connections and job printing from anywhere is impossible to limit to authenticated users, at least as far as my reading of man lpd.perms implies. The second line is the one that actually limits everything to my kerberos principal. It accepts spooling, lpq, lprm, and lpc commands from authenticated users through Kerberos whose sender authentication id is my Kerberos principal. I'm contemplating breaking out most of the lpc stuff to be allowed only for my root instance but that might be a little paranoid.

On the client side, I had already configured my machine to deal with Athena printers, so my client lpd.conf already had a kerberos_service=daemon line in it. This can be a problem if your server's kerberos_service is not daemon, but it's possible to work around it. The call to get_hesiod_pcap is just to retrieve printcap lines from hesiod.

The client's printcap file contained the line:

rradez:rp=rradez:rm=ENGINEER.MIT.EDU:ka#0:mc#0:auth=kerberos5:xn:

When I was trying to make sure that LPRng's Kerberos code was working properly, I used their debugging tools sclient and sserver, but I had to make some small changes to them to get them working. First, I had to comment some code out (diffs available in klprng/) and then move the files from lprng-3.8.28/src/AUTHENTICATE to lprng-3.8.28/src/.