---
layout: post
title: CUPS Introduction
category : Linux
tags : [Linux, Utilities]
---
`CUPS`全称为Common Unix Printing System,是类Unix系统上的通用打印系统,支持本地、远程打印。`CUPS`主要有以下组件或子系统组成:
* print spooler/scheduler: convert LPD requests to IPP; provide a web-based interface for managing print jobs, configurations
* filter system:convert the print data to specified formats
* backend system:send data to print devices
示意图如下:
## 配置文件
[root@cups]# pwd
/etc/cups
[root@cups]# tree
.
├── classes.conf
├── client.conf
├── cupsd.conf --> CUPS服务配置
├── cupsd.conf.default
├── interfaces
├── lpoptions
├── paps.convs
├── ppd
├── printers.conf --> 打印队列配置
├── snmp.conf
├── ssl
└── subscriptions.conf
3 directories, 10 files
以上配置文件介绍、作用、指令,大都可以使用`man file`来查看;若还有不明确的,可以访问`CUPS`服务的Online Help页面,内容比较详细。
## 认证示例
When you enable remote administration, the server will use Basic authentication for adminstration tasks. The current CUPS server supports Basic, Digest, Kerberos, and local certificate authentication:
* *Basic authentication* essentially places the clear text of the username and password on the network.
Since CUPS uses the system username and password account information, the authentication information could be used to gain access to possibly privileged accounts on the server.
Recommendation: Enable encryption to hide the username and password information - this is the default on MacOS X and systems with GNU TLS or OpenSSL installed.
* *Digest authentication* uses an MD5 checksum of the username, password, and domain ("CUPS"), so the original username and password is not sent over the network.
The current implementation does not authenticate the entire message and uses the client's IP address for the nonce value, making it possible to launch "man in the middle" and replay attacks from the same client.
Recommendation: Enable encryption to hide the username and password information.
* *Local certificate authentication* passes 128-bit "certificates" that identify an authenticated user. Certificates are created on-the-fly from random data and stored in files under /var/run/cups/certs. They have restricted read permissions: root + system-group(s) for the root certificate, and lp + lp for CGI certificates.
Because certificates are only available on the local system, the CUPS server does not accept local authentication unless the client is connected to the loopback interface (127.0.0.1 or ::1) or domain socket.
Recommendation: Ensure that unauthorized users are not added to the system group(s).
这里使用"Basic Authentication"介绍下使用系统账户访问`CUPS`服务的方式。
创建用户/用户组
[root@cups]# groupadd cupsadmin
[root@cups]# useradd -g cupsadmin -s /sbin/nologin cupsuser
[root@cups]# passwd cupsuser
更改`/etc/cups/cupsd.conf`配置
[root@cups]# vim /etc/cups/cupsd.conf
... ...
# Administrator user group...
# 2013-05-06 dylanninin@gmail.com customize SystemGroup to cupsadmin
SystemGroup cupsadmin
# Only listen for connections from the local machine.
#Listen localhost:631
# 2013-05-06 dylanninin@gmail.com listen on 631 port of all the interfaces
Listen 631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
BrowseLocalProtocols CUPS dnssd
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Restrict access to the server...
# 2013-05-06 dylanninin@gmail.com access control
Order allow,deny
Allow all
Require valid-user
Require user @SYSTEM
# Restrict access to the admin pages...
# 2013-05-06 dylanninin@gmail.com access control
Order allow,deny
Allow all
Require valid-user
Require user @SYSTEM
# Restrict access to configuration files...
# 2013-05-06 dylanninin@gmail.com access control
AuthType Default
Require user @SYSTEM
Order allow,deny
Allow all
Require valid-user
Require user @SYSTEM
... ...
重启`CUPS`服务
[root@cups]# service cups restart
Stopping cups: [ OK ]
Starting cups: [ OK ]
使用浏览器打开`https://yourhostname:631`,输入用户名、密码即可看到管理界面,截图为证。
## 参考
* [CUPS wikipedia](https://en.wikipedia.org/wiki/CUPS)
* [利用CUPS配置Linux打印机](http://vbird.dic.ksu.edu.tw/linux_basic/0610hardware_2.php)