A LPRng client lpr, lpq, lprm, or lpc to lpd
server authenticated transfer proceeds as follows. If an
authenticated transfer is specified by the auth=protocol entry in the printcap or
configuration information, the client sends a request for an
authenticated transfer to the server.
Part of the authentication request is the authentication
type. If authentication type XX
is requested the server will examine the information in the
printcap and configuration entries for an XX_id value. If this value is present then the
server supports authentication of this type. Further
permission checks are carried out and finally the server will
accept or reject the authentication request. If the request
is accepted the server returns a positive acknowledgment
(single 0 byte) to the requester, otherwise it returns a
nonzero value and an error message.
If the request is accepted then an authentication specific
protocol exchange is carried out between client and server.
The commands and/or data files are encrypted and/or signed
and transferred to the server. The protocol specific software
on the server will then decrypt and/or check signatures,
perform the requested actions, and in turn generate a status
information. The status information is encrypted and/or
signed by the server and sent to the client, where the client
decrypts and/or checked for correct signature.
A lpd server to lpd server authenticated transfer proceeds
as follows. If an authenticated transfer is specified by the
auth_forward=protocol entry in the
printcap or configuration information, the originating server
sends a request for an authenticated transfer to the
destination server. The originating server plays the part of
the client and performs the same set of actions.
The following printcap or user level information needs to
be provided for an authenticated exchange.
The auth option specifies the
authentication type to be used for client to server
transfers. For example, auth=kerberos or auth=kerberos5 or would specify Kerberos 5
authentication, auth=kerberos4
would specify Kerberos 4 authentication, auth=pgp would specify PGP authentication,
auth=md5 would specify MD5
authentication, etc. The special form auth@ specifies no authentication.
The auth_forward option
specifies the authentication type to be used for server
to server transfers. For example, auth_forward=kerberos5 would specify
Kerberos 5 authentication, etc. The special form auth@ specifies no
authentication.
The authenticated transfer request sent to a server
has one of the following forms, depending on the
originator:
\008printer C user_id authtype \n - for commands (lpq, lpc, etc.)
\008printer C user_id authtype size\n - for print jobs (lpr)
\008printer F server_id authtype \n - forwarded commands (lpq, lpc, etc.)
\008printer F server_id authtype size\n - forwarded print jobs (lpr)
The single character with the \008 value signals that this is an
authentication request the printer is the name of a print queue, and
the C (client) or F indicates that the request is from a
client program or is a forwarded request from a server.
The user_id or server_id field is an identifier supplied
by the originator and is discussed below. If the size value is present then the
request is for a job transfer and this value represents
the job size. It is used to determine if there is
sufficient space in the spool queue for the job.
The user_id or server_id fields in the authentication
request are obtained as follows. If the request
originates from a client, then the user_id is the user name of the originator
obtained from password information. If the request
originates from a server, then the server_id is the printcap or configuration
xx_id=server_id value, where xx is the value of the auth_forward=xx entry.
When the authenticated transfer request is received,
the destination will either return a single zero byte, or
a non-zero byte value followed by additional refusal
information. A refusal terminates the protocol
exchange.
Further exchanges are then determined by the
authentication protocol specific requirements.
Once the initial exchanges have been completed a user
file and/or command will be transferred to the
destination server.
An authentication protocol specific AUTHFROM and AUTHUSER strings will be supplied to the
lpd server for purposes of permission checking.
The lpd server then carries out the requested
operation, and will write error and status information
into a file.
After the requested activity has finished, protocol
specific module transfer the status information in the
file to the requesting system and terminate the protocol
exchange.