Thursday, January 29, 2009

Modifications to stock CUPS server

I've been tasked with setting up a Unix print server, since the current one runs unmanaged on a PC beneath someone's desk. Since we use RHEL4 for our servers, obviously this is going to be using CUPS. Setting up CUPS isn't too painful. The web interface is pretty easy to use. My concern though is when you click on the Administration link and log in, it continues to use plain-text HTTP to pass the credentials.

Here are the few things I've changed to make me feel a little bit less uneasy.

First, I created a self-signed SSL certificate and copied the key and crt to /etc/cups/ssl.

Then, I enabled the following in cupsd.conf

ServerCertificate /etc/cups/ssl/server.crt
ServerKey /etc/cups/ssl/server.key
SSLPort 443

I still have the stock port 631 listening as well.

Finally, I modified the index HTML page for the CUPS service. I found this located in /usr/share/cups/doc/index.html. I edited the two hyperlinks for administrator so that it pointed to "". I know this won't stop people from using "", but at least if they are just clicky-clicky, it will have them log into the administrative interface using HTTPS. I'm not sure how to force users to use HTTPS when accessing the administrative page in CUPS, but at least this is a start.

Now, I don't feel like my usernames and passwords are floating around in the clear when it comes to CUPS.


Reamer77 said...

It appears my HTML edit only works on the index page. I'm not sure where the menu bar is being loaded from when clicking on other sections. If anyone has any ideas, please post them.

Reamer77 said...

Apparently in the "Location /admin" (substitute the < and > for the ") section of cupsd.conf, you can specify (or in my case uncomment) "Encryption Required". The Admin links do not redirect to HTTPS, but gives an error about "Upgrade Required", forcing the user to use That's at least a little bit better.