[1884] in Enterprise Print Delivery Team
Authenticated Printing
daemon@ATHENA.MIT.EDU (Lynne E. Durland)
Tue Nov 6 14:48:59 2001
Message-Id: <5.0.2.1.2.20011106144940.00b1dcc8@hesiod>
Date: Tue, 06 Nov 2001 14:52:50 -0500
To: printdel@MIT.EDU
From: "Lynne E. Durland" <durland@MIT.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Greetings Teamies,
Just when you thought it was safe to print your files...............
Rick Rosa in the graduate admissions office switched from a mac to a PC
running NT 4.0. This uncovered the fact that central-letter and
central-3hole were not set to require authentication. This has been rectified.
In looking at and trying to replicate the problem, I found that a KLP queue
set up before the authentication was turned on, will indeed send the print
file, with the username being the NT login, if the user does not have
tickets, with no kerberos complaints. This is documented on the KLP web pages.
I also found that several applications requiring kerberos, including
KLP, will NOT prompt the user for ticket information, if the machine has
no tickets.
From the KLP documentation:
What if I try to print something when I don't have tickets?
If the printer requires authentication, as determined
above, the user will be notified, and prompted to retry or cancel. If the
printer does not require authentication, the job will be sent with KLP's
best guess as to the user's identity. The guessing method is described in
the Identity section.
If the queue was set up after the requirement for authentication was set,
KLP will not send the file, but will put up an error message stating no
tickets, cancel/retry. This sounds like what Rick was talking about
earlier today, but his files were still submitted.
I also found that when I deinstalled KLP for windows from my machine, that
I could still print to central-letter, using an HCL_LPR port. Part of that
setup includes a box for username, and you can enter anything. I can also
submit print using the hcl_lpr with KLP installed. (There are two files in
the IPM queue from PrinterQueen)
So there may be a bug in KLP that Rick uncovered.
But there is also a huge hole in the security around print submission. We
can recommend, suggest and require the use of KLP all we want, but if it is
not used we have no way to refuse the print files.
Lynne
Lynne E. Durland
Information Systems
Database Services
W91-109
O: 617-258-5857
C: 617-293-8091
H: KB1FEM
"When one door of happiness closes, another opens; but often we look so
long at the closed door that we do not see the one which has been opened
for us."
--Helen Keller
