17.10. Authentication Operations

Options used:



A LPRng client lpr, lpq, lprm, or lpc to lpd server authenticated transfer proceeds as follows. If an authenticated transfer is specified by the auth=protocol entry in the printcap or configuration information, the client sends a request for an authenticated transfer to the server.

Part of the authentication request is the authentication type. If authentication type XX is requested the server will examine the information in the printcap and configuration entries for an XX_id value. If this value is present then the server supports authentication of this type. Further permission checks are carried out and finally the server will accept or reject the authentication request. If the request is accepted the server returns a positive acknowledgment (single 0 byte) to the requester, otherwise it returns a nonzero value and an error message.

If the request is accepted then an authentication specific protocol exchange is carried out between client and server. The commands and/or data files are encrypted and/or signed and transferred to the server. The protocol specific software on the server will then decrypt and/or check signatures, perform the requested actions, and in turn generate a status information. The status information is encrypted and/or signed by the server and sent to the client, where the client decrypts and/or checked for correct signature.

The auth authentication type is used as a prefix to look up authentication specific information in the printcap or configuration information. For example, if auth=kerberos, then kerberos_id, kerberos_forward_id, and other information would be extracted from the printcap or configuration information.

A lpd server to lpd server authenticated transfer proceeds as follows. If an authenticated transfer is specified by the auth_forward=protocol entry in the printcap or configuration information, the originating server sends a request for an authenticated transfer to the destination server. The originating server plays the part of the client and performs the same set of actions.

The following printcap or user level information needs to be provided for an authenticated exchange.

  1. The auth option specifies the authentication type to be used for client to server transfers. For example, auth=kerberos or auth=kerberos5 or would specify Kerberos 5 authentication, auth=kerberos4 would specify Kerberos 4 authentication, auth=pgp would specify PGP authentication, auth=md5 would specify MD5 authentication, etc. The special form auth@ specifies no authentication.

  2. The auth_forward option specifies the authentication type to be used for server to server transfers. For example, auth_forward=kerberos5 would specify Kerberos 5 authentication, etc. The special form auth@ specifies no authentication.

  3. The AUTHTYPE_id option specifies the identification to be used for the destination in client to server transfers. For example, kerberos_id would specify the principal name of the lpd server to be used by the client for the client to server kerberos authentication.

  4. When forwarding a job to a remote server, the AUTHTYPE_forward_id option specifies the identification to be used for the destination in server to server transfers. For example, kerberos_id would specify the principal name of the originating lpd server and the kerberos_forward_id option specifies the destination server kerberos id.

  5. When forwarding a job to a remote server, if the original job does not have an authenticated user name or identification, then the AUTHTYPE_default_client_id option specifies the name to be used to identify the job. As discussed in later sections, this will be the A record value of the transferred control file.

  6. The authenticated transfer request sent to a server has one of the following forms, depending on the originator:

        \008printer C user_id authtype \n  - for commands (lpq, lpc, etc.)
        \008printer C user_id authtype size\n - for print jobs (lpr)
        \008printer F server_id authtype \n - forwarded commands (lpq, lpc, etc.)
        \008printer F server_id authtype size\n - forwarded print jobs (lpr)
    


    The single character with the \008 value signals that this is an authentication request the printer is the name of a print queue, and the C (client) or F indicates that the request is from a client program or is a forwarded request from a server. The user_id or server_id field is an identifier supplied by the originator and is discussed below. If the size value is present then the request is for a job transfer and this value represents the job size. It is used to determine if there is sufficient space in the spool queue for the job.

  7. The user_id or server_id fields in the authentication request are obtained as follows. If the request originates from a client, then the user_id is the user name of the originator obtained from password information. If the request originates from a server, then the server_id is the printcap or configuration xx_id=server_id value, where xx is the value of the auth_forward=xx entry.

  8. When the authenticated transfer request is received, the destination will either return a single zero byte, or a non-zero byte value followed by additional refusal information. A refusal terminates the protocol exchange.

  9. Further exchanges are then determined by the authentication protocol specific requirements.

  10. Once the initial exchanges have been completed a user file and/or command will be transferred to the destination server.

  11. An authentication protocol specific AUTHFROM and AUTHUSER strings will be supplied to the lpd server for purposes of permission checking.

  12. The lpd server then carries out the requested operation, and will write error and status information into a file.

  13. After the requested activity has finished, protocol specific module transfer the status information in the file to the requesting system and terminate the protocol exchange.