CUPS 1.3 adds Kerberos support which allows you to use a Key Distribution Center (KDC) for authentication on your local CUPS server and when printing to a remote authenticated queue. This document describes how to configure CUPS to use Kerberos authentication and provides helpful links to the MIT help pages for configuring Kerberos on your systems and network.
Note:In order to use Kerberos-authenticated shared printers, you must be running a version of MIT Kerberos with the krb5_cc_new_unique() function or Heimdal Kerberos. Otherwise, only local Kerberos authentication is supported.
Before you can use Kerberos with CUPS, you will need to configure Kerberos on your system and setup a system as a KDC. Because this configuration is highly system and site-specific, please consult the following on-line resources provided by the creators of Kerberos at the Massachussetts Institute of Technology (MIT):
The Linux Documentation Project also has a HOWTO on Kerberos:
Once you have configured Kerberos on your system(s), you can then enable Kerberos authentication by selecting the Negotiate authentication type. The simplest way to do this is using the cupsctl(8) command:
cupsctl DefaultAuthType=Negotiate
You can also enable Kerberos from the web interface by checking the Use Kerberos Authentication box and clicking Change Settings:
http://localhost:631/admin
After you have enabled Kerberos authentication, add AuthType Default lines to the policies you want to protect with authentication, for example:
Listing 1: Remote Printer Operation Policy
1 <Policy remote>
2 # Job-related operations must be done by the owner or an
administrator...
3 <Limit Send-Document Send-URI Hold-Job Release-Job
Restart-Job Purge-Jobs Set-Job-Attributes
Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job
Cancel-Current-Job Suspend-Current-Job Resume-Job
CUPS-Move-Job>
4 AuthType Default
5 Require user @OWNER @SYSTEM
6 Order deny,allow
7 </Limit>
8
9 # Require authentication when creating jobs
10 <Limit Create-Job Print-Job Print-URI>
11 AuthType Default
12 Require valid-user
13 Order deny,allow
14 </Limit>
15
16 # All administration operations require an administrator
to authenticate...
17 <Limit CUPS-Add-Printer CUPS-Delete-Printer
CUPS-Add-Class CUPS-Delete-Class CUPS-Set-Default>
18 AuthType Default
19 Require user @SYSTEM
20 Order deny,allow
21 </Limit>
22
23 # All printer operations require a printer operator
to authenticate...
24 <Limit Pause-Printer Resume-Printer
Set-Printer-Attributes Enable-Printer Disable-Printer
Pause-Printer-After-Current-Job Hold-New-Jobs
Release-Held-New-Jobs Deactivate-Printer Activate-Printer
Restart-Printer Shutdown-Printer Startup-Printer
Promote-Job Schedule-Job-After CUPS-Accept-Jobs
CUPS-Reject-Jobs>
25 AuthType Default
26 Require user varies by OS
27 Order deny,allow
28 </Limit>
29
30 # Only the owner or an administrator can cancel or
authenticate a job...
31 <Limit Cancel-Job CUPS-Authenticate-Job>
32 Require user @OWNER @SYSTEM
33 Order deny,allow
34 </Limit>
35
36 <Limit All>
37 Order deny,allow
38 </Limit>
39 </Policy>
CUPS implements Kerberos over HTTP using GSS API and the service name "ipp". Delegation of credentials, which is needed when printing to a remote/shared printer with Kerberos authentication, is currently only supported when using a single KDC on your network.
After getting a user's Kerberos credentials, CUPS strips the "@KDC" portion of the username so that it can check the group membership locally, effectively treating the Kerberos account as a local user account.