lprng-doc 3.8.A~rc2-3 / usr / share / doc / lprng-doc / LPRng-Reference-Multipart / x9495.htm

This file is indexed.

/usr/share/doc/lprng-doc/LPRng-Reference-Multipart/x9495.htm is in lprng-doc 3.8.A~rc2-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
  <meta name="generator" content=
  "HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org">

  <title>Using SSL for Authentication</title>
  <meta name="GENERATOR" content=
  "Modular DocBook HTML Stylesheet Version 1.79">
  <link rel="HOME" title=" LPRng Reference Manual" href=
  "index.htm">
  <link rel="UP" title="Permissions and Authentication " href=
  "permsref.htm">
  <link rel="PREVIOUS" title="Using Kerberos 4 for Authentication"
  href="x9469.htm">
  <link rel="NEXT" title="Using MD5 for Authentication" href=
  "x9572.htm">
</head>

<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF"
vlink="#840084" alink="#0000FF">
  <div class="NAVHEADER">
    <table summary="Header navigation table" width="100%" border=
    "0" cellpadding="0" cellspacing="0">
      <tr>
        <th colspan="3" align="center">LPRng Reference Manual: 24
        Sep 2004 (For LPRng-3.8.28)</th>
      </tr>

      <tr>
        <td width="10%" align="left" valign="bottom"><a href=
        "x9469.htm" accesskey="P">Prev</a></td>

        <td width="80%" align="center" valign="bottom">Chapter 17.
        Permissions and Authentication</td>

        <td width="10%" align="right" valign="bottom"><a href=
        "x9572.htm" accesskey="N">Next</a></td>
      </tr>
    </table>
    <hr align="left" width="100%">
  </div>

  <div class="SECT1">
    <h1 class="SECT1"><a name="AEN9495" id="AEN9495">17.15. Using
    SSL for Authentication</a></h1>

    <p><b class="APPLICATION">LPRng</b> has built-in support for
    using SSL as an authentication method. The implementation is
    based on OpenSSL 0.9.6c and the associated libraries as of of 3
    June 2002. The distribution was obtained from the OpenSSL group
    from the <span class="emphasis"><i class="EMPHASIS"><a href=
    "http://www.openssl.org" target=
    "_top">http://www.openssl.org</a></i></span> Website.</p>

    <p>SSL authentication is based a private key/secret key
    technology, where the various keys are placed in files (or data
    structures) called <span class="emphasis"><i class=
    "EMPHASIS">certificates</i></span> or <tt class=
    "LITERAL">certs</tt>, and the certificates are <span class=
    "emphasis"><i class="EMPHASIS">signed</i></span> by calculating
    a checksum over the certificate, encypting the checksum and
    other information using the private key of a <span class=
    "emphasis"><i class="EMPHASIS">signing</i></span> certificate.
    The top level or <span class="emphasis"><i class=
    "EMPHASIS">root</i></span> certificate is signed by its own
    key; lower level signing certificates can be created which are
    signed by the top level or root certificate, and in turn can
    sign other signing certificates. User certificates can be
    created and signed by a signing certificate which can be used
    in the SSL protocol for authentication purposes. The following
    objects are needed to use SSL encryption.</p>

    <ol type="1">
      <li>
        <p>A top level or root certificates and a set of signing
        certificates. By convention, these are stored in the
        <tt class="FILENAME">/etc/lpd/ssl.ca</tt> directory; the
        root certificate is usually the <tt class=
        "FILENAME">ca.crt</tt> file.</p>
      </li>

      <li>
        <p>Each server has a certificate and private key file which
        are used to identify the server and sign the SSL messages.
        The private key file is usually stored in an encrypted form
        and a password is required unlock the file. By convention,
        the server files are stored in the <tt class=
        "FILENAME">/etc/lpd/ssl.server</tt> directory; the
        <tt class="FILENAME">server.crt</tt> file contains the
        server certificate and (encrypted) private key; the
        <tt class="FILENAME">server.pwd</tt> file contains the
        password to decrypt the private key.</p>
      </li>

      <li>
        <p>Each user has a certificate and private key file which
        are used to identify the user and sign the SSL messages.
        The private key file is usually stored in an encrypted form
        and a password is required unlock the file. By convention,
        the user files are stored in the <tt class=
        "FILENAME">${HOME}/.lpr</tt> directory; the <tt class=
        "FILENAME">client.crt</tt> file contains the client
        certificate and (encrypted) private key; the <tt class=
        "FILENAME">client.pwd</tt> file contains the password to
        decrypt the private key.</p>
      </li>

      <li>
        <p>A utility to create and manage the SSL certificate
        files.</p>
      </li>
    </ol>

    <p>The locations of the SSL files can be specified by various
    options to <b class="APPLICATION">configure</b> facility and by
    values in the the <tt class="LITERAL">lpd.conf</tt> file.</p>

    <div class="SECT2">
      <h2 class="SECT2"><a name="AEN9528" id="AEN9528">17.15.1.
      Certificate Management</a></h2>

      <p>The <b class="APPLICATION">lprng_cert</b> utility is used
      to set up the various directories and files required for SSL
      authentication. This code was derived from similar facilities
      developed for the <tt class="LITERAL">mod_ssl</tt> extensions
      to the <b class="APPLICATION">Apache</b> web server. This
      interactive utility is very verbose and has extensive
      comments and assistance.</p>

      <div class="INFORMALEXAMPLE">
        <a name="AEN9534" id="AEN9534"></a>
        <pre class="SCREEN">
h110: {111} % lprng_certs
lprng_certs -- LPRng SSL Certificate Management
Copyright (c) 2002 Patrick Powell
Based on CCA by Ralf S. Engelschall
(Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)

usage: lprng_certs option
  init              - make directory structure
  newca             - make new root CA and default values for certs
  defaults          - set new default values for certs
  gen               - generate user, server, or signing cert
  verify [cert]     - verify cert file
  index [dir]       - make certificate index files in directory dir
  encrypt keyfile   - set or change password on private key file
</pre>
      </div>

      <p>The <tt class="LITERAL">lprng_certs init</tt> option will
      create the necessary directories for the <b class=
      "APPLICATION">LPRng</b> software on a system. The <tt class=
      "LITERAL">lprng_certs newca</tt> option will create the root
      level certificate and set up a set of defaults for the
      creation of other certificates. The <tt class=
      "LITERAL">lprng_certs defaults</tt> option allows viewing and
      editting of the various default values. The <tt class=
      "LITERAL">lprng_certs gen</tt> option is used to create and
      sign new certificate files. The OpenSSL software assumes that
      the file names of the signing certificate files have a
      special format; the <tt class="LITERAL">lprng_certs
      index</tt> creates links of the required format to the
      certificate files. Finally, the <tt class=
      "LITERAL">lprng_certs verify</tt> and the <tt class=
      "LITERAL">lprng_certs encrypt</tt> facilities can be used to
      verify that the certificate files have the proper format and
      to change the private key password respectively.</p>
    </div>

    <div class="SECT2">
      <h2 class="SECT2"><a name="AEN9545" id="AEN9545">17.15.2.
      Creating Root Certificate</a></h2>

      <p>The <tt class="LITERAL">lprng_certs newca</tt> option is
      used to create a new root signing certificate and to
      establish defaults.</p>

      <div class="INFORMALEXAMPLE">
        <a name="AEN9549" id="AEN9549"></a>
        <pre class="SCREEN">
h110: {112} #&gt; lprng_certs newca
lprng_certs -- LPRng SSL Certificate Management
Copyright (c) 2002 Patrick Powell
Based on CCA by Ralf S. Engelschall
(Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)

INITIALIZATION - SET DEFAULTS
...  
______________________________________________________________________

STEP 1: Generating RSA private key for CA (1024 bit)
______________________________________________________________________

STEP 2: Generating X.509 certificate signing request for CA
______________________________________________________________________

STEP 3: Generating X.509 certificate for CA signed by itself
______________________________________________________________________

RESULT:
/etc/lpd/ssl.ca/ca.crt:
/C=US/ST=California/L=San Diego/O=Astart/OU=Certificate Authority/\
 CN=Astart CA/Email=id@astart.com
error 18 at 0 depth lookup:self signed certificate
OK
______________________________________________________________________

STEP 4. Encrypting RSA private key with a pass phrase for security
The contents of the certificate key file (the generated private
key) should be echo kept secret, especially so if it is used to
sign Certificates or for User authentication.  SSL experts strongly
recommend you to encrypt the key file with a Triple-DES cipher and
a Pass Phrase.  When using LPRng, you provide the password via a
file specified by the LPR_SSL_PASSWORD environent variable, or in
the ${HOME}/.lpr/client.pwd file.  The LPD server uses the
ssl_server_password_file option to specify the location of a file
containing the password.  See the LPRng Reference Manual for details, or the
printcap(5) man page.

key file is /etc/lpd/ssl.ca/ca.key
Encrypt the private key now? [Y/n]: y
Fine, you're using an encrypted private key to sign CERTS.
</pre>
      </div>
    </div>

    <div class="SECT2">
      <h2 class="SECT2"><a name="AEN9551" id="AEN9551">17.15.3.
      Creating Client and Server Certificates</a></h2>

      <p>The <tt class="LITERAL">lprng_certs gen</tt> option allows
      the creation of client and server identification
      certificates. By convention, these are created in a default
      directory and the system administrator then copies them to
      the appropriate client or server directory.</p>

      <div class="INFORMALEXAMPLE">
        <a name="AEN9555" id="AEN9555"></a>
        <pre class="SCREEN">
h110: {112} #&gt; lprng_certs gen
lprng_certs -- LPRng SSL Certificate Management
Copyright (c) 2002 Patrick Powell
Based on CCA by Ralf S. Engelschall
(Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)

CERTIFICATE GENERATION
What type of certificate? User/Server/Signing Authority/Help? [u/s/a/H]
Create in '/etc/lpd/ssl.certs' [return for yes, or specify directory]
CERT name 'user-10'? [return for yes, or specify name] papowell
CERT name 'papowell'? [return for yes, or specify name] 
Creating papowell in /etc/lpd/ssl.certs
Sign with Certificate '/etc/lpd/ssl.ca/ca.crt' \
   [return for yes, ? for list, or specify cert file] ?
Possible CERTS in directory '/etc/lpd/ssl.ca' are:
/etc/lpd/ssl.ca/ca.crt
/etc/lpd/ssl.ca/signer1.crt
/etc/lpd/ssl.ca/tsign.crt
Sign with Certificate '/etc/lpd/ssl.ca/ca.crt'  \
  [return for yes, ? for list, or specify cert file] signer1
Match Found /etc/lpd/ssl.ca/signer1.crt
Sign with Certificate '/etc/lpd/ssl.ca/signer1.crt'  \
  [return for yes, ? for list, or specify cert file]
Private key in /etc/lpd/ssl.ca/signer1.crt

Generating user Certificate [papowell] 

STEP 1: Generating RSA private key for user (1024 bit)

STEP 2: Generating X.509 certificate signing request for user
....

STEP 3: Generating X.509 certificate signed by /etc/lpd/ssl.ca/signer1.crt
...

RESULT:
/etc/lpd/ssl.certs/papowell.crt: OK

STEP 4. Enrypting RSA private key /etc/lpd/ssl.certs/papowell.key
  with a pass phrase for security

Encrypt the private key now? [Y/n]: Fine, you're using an encrypted
  private key to sign CERTS.

STEP 5: Combine CERT and KEY file
Generate single CERT and KEY file? [Y/n] 

Use the following commands to examine the CERT and KEY files:
   openssl x509 -text -in /etc/lpd/ssl.certs/papowell.crt
   openssl rsa -text -in /etc/lpd/ssl.certs/papowell.crt
</pre>
      </div>

      <p>After the certificate file has been created, then it
      should be copied to the appropriate location: <tt class=
      "FILENAME">/etc/lpd/ssl.server/server.crt</tt> and the
      password in <tt class=
      "FILENAME">/etc/lpd/ssl.server/server.pwd</tt>, for a server
      or <tt class="FILENAME">${HOME}/.lpr/client.crt</tt> and the
      password in <tt class="FILENAME">${HOME}/.lpr/client.pwd</tt>
      for a user.</p>
    </div>

    <div class="SECT2">
      <h2 class="SECT2"><a name="AEN9562" id="AEN9562">17.15.4.
      Creating Signing Certificates</a></h2>

      <p>Having only one signing certificate, i.e. - the root
      certificate, may make it difficult to delegate authority for
      the creation of user certificates and/or server certificates.
      The <tt class="LITERAL">lprng_certs gen</tt> facility can be
      used to create a certificate that can be used to sign other
      certificates.</p>
    </div>

    <div class="SECT2">
      <h2 class="SECT2"><a name="AEN9566" id="AEN9566">17.15.5.
      Permissions and Certificate Revocation</a></h2>

      <p>The certificate revocation facility is not implemented in
      <b class="APPLICATION">LPRng</b>, due to various technical
      and management issues. Instead, the <tt class=
      "LITERAL">AUTHUSER</tt> and <tt class="LITERAL">AUTHCA</tt>
      and</p>
    </div>
  </div>

  <div class="NAVFOOTER">
    <hr align="left" width="100%">

    <table summary="Footer navigation table" width="100%" border=
    "0" cellpadding="0" cellspacing="0">
      <tr>
        <td width="33%" align="left" valign="top"><a href=
        "x9469.htm" accesskey="P">Prev</a></td>

        <td width="34%" align="center" valign="top"><a href=
        "index.htm" accesskey="H">Home</a></td>

        <td width="33%" align="right" valign="top"><a href=
        "x9572.htm" accesskey="N">Next</a></td>
      </tr>

      <tr>
        <td width="33%" align="left" valign="top">Using Kerberos 4
        for Authentication</td>

        <td width="34%" align="center" valign="top"><a href=
        "permsref.htm" accesskey="U">Up</a></td>

        <td width="33%" align="right" valign="top">Using MD5 for
        Authentication</td>
      </tr>
    </table>
  </div>

  <p align="center"></p>
</body>
</html>

APT Browse - Built by Thomas Orozco.