[Printing-architecture] RFC: Who uses Digest authentication with CUPS anymore?

Michael Sweet msweet at apple.com
Thu Dec 19 17:08:46 UTC 2013


CUPS has supported Digest authentication since CUPS 1.1b4.  Originally we added it to provide a more secure authentication method when we didn't support TLS, UNIX domain sockets, or PAM. But today we *do* support those things, making Digest an oddball in the grand scheme of things.  Password and account management is awkward and has to happen on the server using the "lppasswd" command (which you have to make setuid if you choose to use it...)

I'd like to get your collected feedback on removing Digest support from cupsd and the lppasswd command in CUPS 2.0.  We'd still leave client support in place so Digest authentication with a CUPS 1.x server would continue to work.

People upgrading their servers to 2.0 would also need to configure their systems to use the "digestfile" PAM module (http://digest.sourceforge.net) and create a TLS certificate, as needed.  Authentication against the Digest password file would use HTTP Basic (basically the same as "AuthType BasicDigest" in CUPS 1.x) and be 100% compatible with prior CUPS releases.


Michael Sweet, Senior Printing System Engineer, PWG Chair

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/printing-architecture/attachments/20131219/139c6934/attachment.p7s>

More information about the Printing-architecture mailing list