Kerberos for printers

[Brian Davidson]

Microsoft seems to support Kerberos for printing via IPP.  IPP is a 
layer on top of http, so I would think that the main thing to look for 
is kerberos support for http.  Microsoft has a proprietary solution for 
http kerberos authentication, and the IETF seems to be close to 
establishing a more generalized http authentication standard solution, 
http-sasl which also would support kerberos.  Hopefully once http-sasl 
is established it will become usable for IPP authentication.

In the "short term", you can set up a CUPS server to use basic 
authentication over SSL, and have PAM configured to use "kerberos 
authentication" for CUPS.  I put the quotes there because this isn't 
true kerberos authentication.  The username and password are being sent 
over the wire, and they are handled by a service, which clearly is not 
kerberos.  This will get you single-password though.  You can use 
nsswitch to lookup group information in LDAP, which could be used as a 
source of authorization information.

You would still need some mechanism for ensuring that only the CUPS 
server can talk to the printer.  The options available vary from 
printer to printer, but likely involve IP based authentication.  Some 
printers support IPP directly.  I have no idea if/how those support 
authentication.

This is what I'm looking at for our University, but we haven't deployed 
this [yet].  I'm hopeful that CUPS will support http-sasl once it's 
available, and that Microsoft will too.

Brian Davidson
George Mason University

On Apr 6, 2004, at 7:21 AM, mdj_kerberos wrote:

> Hi ,
>
>  I would like to lknow how kerberos is suitable for printers.I
> searched web for the docs.But i couldn't get any detailed informative
> document. Please let me know abt the links.
>
> thank you
> regds
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>