CUPS全稱為Common Unix Printing System,是類Unix系統上的通用打印系統,支持本地、遠程打印。CUPS主要有以下組件或子系統組成:
-
print spooler/scheduler: convert LPD requests to IPP; provide a web-based interface for managing print jobs, configurations
-
filter system:convert the print data to specified formats
-
backend system:send data to print devices
示意圖如下:
CUPS Simple
配置文件
[root@cups]# pwd
/etc/cups
[root@cups]# tree
.
├── classes.conf
├── client.conf
├── cupsd.conf --> CUPS服務配置
├── cupsd.conf.default
├── interfaces
├── lpoptions
├── paps.convs
├── ppd
├── printers.conf --> 打印隊列配置
├── snmp.conf
├── ssl
└── subscriptions.conf
3 directories, 10 files
以上配置文件介紹、作用、指令,大都可以使用man file來查看;若還有不明確的,可以訪問CUPS服務的Online Help頁面,內容比較詳細。
認證示例
When you enable remote administration, the server will use Basic authenti
cation for adminstration tasks. The current CUPS server supports Basic, Digest, Kerberos, and local certificate authentication:
-
Basic authentication essentially places the clear text of the username and password on the network. Since CUPS uses the system username and password account information, the authentication information could be used to gain access to possibly privileged accounts on the server.
-
Recommendation: Enable encryption to hide the username and password information - this is the default on MacOS X and systems with GNU TLS or OpenSSL installed.
-
Digest authentication uses an MD5 checksum of the username, password, and domain (“CUPS”), so the original username and password is not sent over the network. The current implementation does not authenticate the entire message and uses the client’s IP address for the nonce value, making it possible to launch “man in the middle” and replay attacks from the same client.
-
Recommendation: Enable encryption to hide the username and password information.
-
Local certificate authentication passes 128-bit “certificates” that identify an authenticated user. Certificates are created on-the-fly from random data and stored in files under /var/run/cups/certs. They have restricted read permissions: root + system-group(s) for the root certificate, and lp + lp for CGI certificates. Because certificates are only available on the local system, the CUPS server does not accept local authentication unless the client is connected to the loopback interface (127.0.0.1 or ::1) or domain socket.
Recommendation: Ensure that unauthorized users are not added to the system group(s).
這裡使用”Basic Authentication”介紹下使用系統賬戶訪問CUPS服務的方式。
創建用戶/用戶
[root@cups]# groupadd cupsadmin
[root@cups]# useradd -g cupsadmin -s /sbin/nologin cupsuser
[root@cups]# passwd cupsuser
更改/etc/cups/cupsd.conf配置
[root@cups]# vim /etc/cups/cupsd.conf
... ...
# Administrator user group...
# 2013-05-06 [email protected] customize SystemGroup to cupsadmin
SystemGroup cupsadmin
# Only listen for connections from the local machine.
#Listen localhost:631
# 2013-05-06 [email protected] listen on 631 port of all the interfaces
Listen 631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseLocalProtocols CUPS dnssd
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Restrict access to the server...
# 2013-05-06 [email protected] access control
<Location />
Order allow,deny
Allow all
Require valid-user
Require user @SYSTEM
</Location>
# Restrict access to the admin pages...
# 2013-05-06 [email protected] access control
<Location /admin>
Order allow,deny
Allow all
Require valid-user
Require user @SYSTEM
</Location>
# Restrict access to configuration files...
# 2013-05-06 [email protected] access control
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
Allow all
Require valid-user
Require user @SYSTEM
</Location>
... ...
重啟CUPS服務
[root@cups]# service cups restart
Stopping cups: [ OK ]
Starting cups: [ OK ]
使用浏覽器打開https://yourhostname:631,輸入用戶名、密碼即可看到管理界面,截圖如下:
