LPRng Reference Manual: 3 May 2004 (For LPRng-3.8.27) | ||
---|---|---|
Prev | Chapter 17. Permissions and Authentication | Next |
LPRng has built-in support for using SSL as an authentication method. The implementation is based on OpenSSL 0.9.6c and the associated libraries as of of 3 June 2002. The distribution was obtained from the OpenSSL group from the http://www.openssl.org Website.
SSL authentication is based a private key/secret key technology, where the various keys are placed in files (or data structures) called certificates or certs, and the certificates are signed by calculating a checksum over the certificate, encypting the checksum and other information using the private key of a signing certificate. The top level or root certificate is signed by its own key; lower level signing certificates can be created which are signed by the top level or root certificate, and in turn can sign other signing certificates. User certificates can be created and signed by a signing certificate which can be used in the SSL protocol for authentication purposes. The following objects are needed to use SSL encryption.
A top level or root certificates and a set of signing certificates. By convention, these are stored in the /etc/lpd/ssl.ca directory; the root certificate is usually the ca.crt file.
Each server has a certificate and private key file which are used to identify the server and sign the SSL messages. The private key file is usually stored in an encrypted form and a password is required unlock the file. By convention, the server files are stored in the /etc/lpd/ssl.server directory; the server.crt file contains the server certificate and (encrypted) private key; the server.pwd file contains the password to decrypt the private key.
Each user has a certificate and private key file which are used to identify the user and sign the SSL messages. The private key file is usually stored in an encrypted form and a password is required unlock the file. By convention, the user files are stored in the ${HOME}/.lpr directory; the client.crt file contains the client certificate and (encrypted) private key; the client.pwd file contains the password to decrypt the private key.
A utility to create and manage the SSL certificate files.
The locations of the SSL files can be specified by various options to configure facility and by values in the the lpd.conf file.
The lprng_cert utility is used to set up the various directories and files required for SSL authentication. This code was derived from similar facilities developed for the mod_ssl extensions to the Apache web server. This interactive utility is very verbose and has extensive comments and assistance.
h110: {111} % lprng_certs lprng_certs -- LPRng SSL Certificate Management Copyright (c) 2002 Patrick Powell Based on CCA by Ralf S. Engelschall (Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.) usage: lprng_certs option init - make directory structure newca - make new root CA and default values for certs defaults - set new default values for certs gen - generate user, server, or signing cert verify [cert] - verify cert file index [dir] - make certificate index files in directory dir encrypt keyfile - set or change password on private key file
The lprng_certs init option will create the necessary directories for the LPRng software on a system. The lprng_certs newca option will create the root level certificate and set up a set of defaults for the creation of other certificates. The lprng_certs defaults option allows viewing and editting of the various default values. The lprng_certs gen option is used to create and sign new certificate files. The OpenSSL software assumes that the file names of the signing certificate files have a special format; the lprng_certs index creates links of the required format to the certificate files. Finally, the lprng_certs verify and the lprng_certs encrypt facilities can be used to verify that the certificate files have the proper format and to change the private key password respectively.
The lprng_certs newca option is used to create a new root signing certificate and to establish defaults.
h110: {112} #> lprng_certs newca lprng_certs -- LPRng SSL Certificate Management Copyright (c) 2002 Patrick Powell Based on CCA by Ralf S. Engelschall (Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.) INITIALIZATION - SET DEFAULTS ... ______________________________________________________________________ STEP 1: Generating RSA private key for CA (1024 bit) ______________________________________________________________________ STEP 2: Generating X.509 certificate signing request for CA ______________________________________________________________________ STEP 3: Generating X.509 certificate for CA signed by itself ______________________________________________________________________ RESULT: /etc/lpd/ssl.ca/ca.crt: /C=US/ST=California/L=San Diego/O=Astart/OU=Certificate Authority/\ CN=Astart CA/Email=id@astart.com error 18 at 0 depth lookup:self signed certificate OK ______________________________________________________________________ STEP 4. Encrypting RSA private key with a pass phrase for security The contents of the certificate key file (the generated private key) should be echo kept secret, especially so if it is used to sign Certificates or for User authentication. SSL experts strongly recommend you to encrypt the key file with a Triple-DES cipher and a Pass Phrase. When using LPRng, you provide the password via a file specified by the LPR_SSL_PASSWORD environent variable, or in the ${HOME}/.lpr/client.pwd file. The LPD server uses the ssl_server_password_file option to specify the location of a file containing the password. See the LPRng Reference Manual for details, or the printcap(5) man page. key file is /etc/lpd/ssl.ca/ca.key Encrypt the private key now? [Y/n]: y Fine, you're using an encrypted private key to sign CERTS.
The lprng_certs gen option allows the creation of client and server identification certificates. By convention, these are created in a default directory and the system administrator then copies them to the appropriate client or server directory.
h110: {112} #> lprng_certs gen lprng_certs -- LPRng SSL Certificate Management Copyright (c) 2002 Patrick Powell Based on CCA by Ralf S. Engelschall (Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.) CERTIFICATE GENERATION What type of certificate? User/Server/Signing Authority/Help? [u/s/a/H] Create in '/etc/lpd/ssl.certs' [return for yes, or specify directory] CERT name 'user-10'? [return for yes, or specify name] papowell CERT name 'papowell'? [return for yes, or specify name] Creating papowell in /etc/lpd/ssl.certs Sign with Certificate '/etc/lpd/ssl.ca/ca.crt' \ [return for yes, ? for list, or specify cert file] ? Possible CERTS in directory '/etc/lpd/ssl.ca' are: /etc/lpd/ssl.ca/ca.crt /etc/lpd/ssl.ca/signer1.crt /etc/lpd/ssl.ca/tsign.crt Sign with Certificate '/etc/lpd/ssl.ca/ca.crt' \ [return for yes, ? for list, or specify cert file] signer1 Match Found /etc/lpd/ssl.ca/signer1.crt Sign with Certificate '/etc/lpd/ssl.ca/signer1.crt' \ [return for yes, ? for list, or specify cert file] Private key in /etc/lpd/ssl.ca/signer1.crt Generating user Certificate [papowell] STEP 1: Generating RSA private key for user (1024 bit) STEP 2: Generating X.509 certificate signing request for user .... STEP 3: Generating X.509 certificate signed by /etc/lpd/ssl.ca/signer1.crt ... RESULT: /etc/lpd/ssl.certs/papowell.crt: OK STEP 4. Enrypting RSA private key /etc/lpd/ssl.certs/papowell.key with a pass phrase for security Encrypt the private key now? [Y/n]: Fine, you're using an encrypted private key to sign CERTS. STEP 5: Combine CERT and KEY file Generate single CERT and KEY file? [Y/n] Use the following commands to examine the CERT and KEY files: openssl x509 -text -in /etc/lpd/ssl.certs/papowell.crt openssl rsa -text -in /etc/lpd/ssl.certs/papowell.crt
After the certificate file has been created, then it should be copied to the appropriate location: /etc/lpd/ssl.server/server.crt and the password in /etc/lpd/ssl.server/server.pwd, for a server or ${HOME}/.lpr/client.crt and the password in ${HOME}/.lpr/client.pwd for a user.
Having only one signing certificate, i.e. - the root certificate, may make it difficult to delegate authority for the creation of user certificates and/or server certificates. The lprng_certs gen facility can be used to create a certificate that can be used to sign other certificates.
The certificate revocation facility is not implemented in LPRng, due to various technical and management issues. Instead, the AUTHUSER and AUTHCA and