1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org">
<title>Authentication Operations</title>
<meta name="GENERATOR" content=
"Modular DocBook HTML Stylesheet Version 1.71 ">
<link rel="HOME" title=" LPRng-HOWTO" href="index.htm">
<link rel="UP" title="Permissions and Authentication " href=
"permsref.htm">
<link rel="PREVIOUS" title="RFC1179 Protocol Extensions" href=
"x8858.htm">
<link rel="NEXT" title="Permission Checking" href="x8961.htm">
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link=
"#0000FF" vlink="#840084" alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border=
"0" cellpadding="0" cellspacing="0">
<tr>
<th colspan="3" align="center">LPRng-HOWTO: 1 Apr 2002
(For LPRng-3.8.10)</th>
</tr>
<tr>
<td width="10%" align="left" valign="bottom"><a href=
"x8858.htm" accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter
17. Permissions and Authentication</td>
<td width="10%" align="right" valign="bottom"><a href=
"x8961.htm" accesskey="N">Next</a></td>
</tr>
</table>
<hr align="LEFT" width="100%">
</div>
<div class="SECT1">
<h1 class="SECT1"><a name="AUTH">17.11. Authentication
Operations</a></h1>
<p>Options used:</p>
<ul>
<li>
<p><tt class="LITERAL">auth=</tt><i class=
"EMPHASIS">client to server authentication type</i></p>
</li>
<li>
<p><tt class="LITERAL">auth_forward=</tt><i class=
"EMPHASIS">server to server authentication type</i></p>
</li>
<li>
<p><tt class="LITERAL">XX_id=</tt><i class=
"EMPHASIS">server identification</i></p>
</li>
<li>
<p><tt class="LITERAL">XX_forward_id=</tt><i class=
"EMPHASIS">Server identification</i></p>
</li>
</ul>
<br>
<br>
<p>A <b class="APPLICATION">LPRng</b> client <b class=
"APPLICATION">lpr</b>, <b class="APPLICATION">lpq</b>, <b
class="APPLICATION">lprm</b>, or <b class=
"APPLICATION">lpc</b> to <b class="APPLICATION">lpd</b>
server authenticated transfer proceeds as follows. If an
authenticated transfer is specified by the <tt class=
"LITERAL">auth=protocol</tt> entry in the printcap or
configuration information, the client sends a request for an
authenticated transfer to the server.</p>
<p>Part of the authentication request is the authentication
type. If authentication type <span class="ACRONYM">XX</span>
is requested the server will examine the information in the
printcap and configuration entries for an <tt class=
"LITERAL">XX_id</tt> value. If this value is present then the
server supports authentication of this type. Further
permission checks are carried out and finally the server will
accept or reject the authentication request. If the request
is accepted the server returns a positive acknowledgment
(single 0 byte) to the requester, otherwise it returns a
nonzero value and an error message.</p>
<p>If the request is accepted then an authentication specific
protocol exchange is carried out between client and server.
The commands and/or data files are encrypted and/or signed
and transferred to the server. The protocol specific software
on the server will then decrypt and/or check signatures,
perform the requested actions, and in turn generate a status
information. The status information is encrypted and/or
signed by the server and sent to the client, where the client
decrypts and/or checked for correct signature.</p>
<p>A <b class="APPLICATION">lpd</b> server to <b class=
"APPLICATION">lpd</b> server authenticated transfer proceeds
as follows. If an authenticated transfer is specified by the
<tt class="LITERAL">auth_forward=protocol</tt> entry in the
printcap or configuration information, the originating server
sends a request for an authenticated transfer to the
destination server. The originating server plays the part of
the client and performs the same set of actions.</p>
<p>The following printcap or user level information needs to
be provided for an authenticated exchange.</p>
<ol type="1">
<li>
<p>The <tt class="LITERAL">auth</tt> option specifies the
authentication type to be used for client to server
transfers. For example, <tt class=
"LITERAL">auth=kerberos</tt> or <tt class=
"LITERAL">auth=kerberos5</tt> or would specify Kerberos 5
authentication, <tt class="LITERAL">auth=kerberos4</tt>
would specify Kerberos 4 authentication, <tt class=
"LITERAL">auth=pgp</tt> would specify PGP authentication,
<tt class="LITERAL">auth=md5</tt> would specify MD5
authentication, etc. The special form <tt class=
"LITERAL">auth@</tt> specifies no authentication.</p>
</li>
<li>
<p>The <tt class="LITERAL">auth_forward</tt> option
specifies the authentication type to be used for server
to server transfers. For example, <tt class=
"LITERAL">auth_forward=kerberos5</tt> would specify
Kerberos 5 authentication, etc. The special form <tt
class="LITERAL">auth@</tt> specifies no
authentication.</p>
</li>
<li>
<p>The authenticated transfer request sent to a server
has one of the following forms, depending on the
originator:</p>
<div class="INFORMALEXAMPLE">
<a name="AEN8928"></a>
<pre class="SCREEN">
\008printer C user_id authtype \n - for commands (lpq, lpc, etc.)
\008printer C user_id authtype size\n - for print jobs (lpr)
\008printer F server_id authtype \n - forwarded commands (lpq, lpc, etc.)
\008printer F server_id authtype size\n - forwarded print jobs (lpr)
</pre>
</div>
<br>
<br>
<p>The single character with the <tt class=
"LITERAL">\008</tt> value signals that this is an
authentication request the <tt class=
"LITERAL">printer</tt> is the name of a print queue, and
the <tt class="LITERAL">C</tt> (client) or <tt class=
"LITERAL">F</tt> indicates that the request is from a
client program or is a forwarded request from a server.
The <tt class="LITERAL">user_id</tt> or <tt class=
"LITERAL">server_id</tt> field is an identifier supplied
by the originator and is discussed below. If the <tt
class="LITERAL">size</tt> value is present then the
request is for a job transfer and this value represents
the job size. It is used to determine if there is
sufficient space in the spool queue for the job.</p>
</li>
<li>
<p>The <tt class="LITERAL">user_id</tt> or <tt class=
"LITERAL">server_id</tt> fields in the authentication
request are obtained as follows. If the request
originates from a client, then the <tt class=
"LITERAL">user_id</tt> is the user name of the originator
obtained from password information. If the request
originates from a server, then the <tt class=
"LITERAL">server_id</tt> is the printcap or configuration
<tt class="LITERAL">xx_id=server_id</tt> value, where <tt
class="LITERAL">xx</tt> is the value of the <tt class=
"LITERAL">auth_forward=xx</tt> entry.</p>
</li>
<li>
<p>When the authenticated transfer request is received,
the destination will either return a single zero byte, or
a non-zero byte value followed by additional refusal
information. A refusal terminates the protocol
exchange.</p>
</li>
<li>
<p>Further exchanges are then determined by the
authentication protocol specific requirements.</p>
</li>
<li>
<p>Once the initial exchanges have been completed a user
file and/or command will be transferred to the
destination server.</p>
</li>
<li>
<p>An authentication protocol specific <span class=
"ACRONYM">AUTHFROM</span> and <span class=
"ACRONYM">AUTHUSER</span> strings will be supplied to the
lpd server for purposes of permission checking.</p>
</li>
<li>
<p>The lpd server then carries out the requested
operation, and will write error and status information
into a file.</p>
</li>
<li>
<p>After the requested activity has finished, protocol
specific module transfer the status information in the
file to the requesting system and terminate the protocol
exchange.</p>
</li>
</ol>
<br>
<br>
</div>
<div class="NAVFOOTER">
<hr align="LEFT" width="100%">
<table summary="Footer navigation table" width="100%" border=
"0" cellpadding="0" cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href=
"x8858.htm" accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href=
"index.htm" accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href=
"x8961.htm" accesskey="N">Next</a></td>
</tr>
<tr>
<td width="33%" align="left" valign="top">RFC1179
Protocol Extensions</td>
<td width="34%" align="center" valign="top"><a href=
"permsref.htm" accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Permission
Checking</td>
</tr>
</table>
</div>
</body>
</html>
|
