CUPS 共享打印机在 Windows 计算机上存在身份验证和 SSL 连接问题

CUPS 共享打印机在 Windows 计算机上存在身份验证和 SSL 连接问题

我在 Windows 10 或 7 中连接打印机时遇到问题。在我的 Debian 中,无论是基本身份验证类型还是 HTTPS,一切都运行良好。我创建了用户 cups_print 并使用 passwd 命令为他分配密码。我尝试禁用身份验证和 TLS/SSL,没有它们,Windows 站可以连接到 HP P1006,该 HP P1006 连接到运行 CUPS 的 Raspi。我也尝试过 Require valid-user,但使用此选项我可以使用任何凭据进行打印,例如用户名:“aa”密码:“randompassword”。我还尝试在进行 SSL 连接时监听端口 631,但在 Windows 上没有任何成功,Linux 使用每个选项都可以正常工作。

我尝试在 Windows 中通过以下方式设置 ipp url:
https://192.168.X.132:632/打印机/HP_LaserJet_P1006
https://cups_print:[电子邮件保护]:632/打印机/HP_LaserJet_P1006
https://[电子邮件保护]:632/打印机/HP_LaserJet_P1006
http://[电子邮件保护]:631/打印机/HP_LaserJet_P1006
http://192.168.X.132:631/打印机/HP_LaserJet_P1006
http://cups_print:[电子邮件保护]:631/打印机/HP_LaserJet_P1006

我还尝试添加打印机,在 cupsd.conf 配置为无需身份验证后,然后启用选项重新启动它,然后通过端口编辑向 Windows 提供凭据。同样没有任何成功。我可以通过 Web 界面在任何 Windows 站点上访问 cups 配置。这似乎是 Windows 的问题,如果不是,您能否提出任何解决方案,我希望我的家庭网络中的一切都安全无虞。

我附上了我的 cupsd.conf 文件的一部分

# Show troubleshooting information in error_log.
LogLevel debug
PageLogFormat
MaxLogSize 0
Port 631
Listen localhost:631
Listen /run/cups/cups.sock
Listen 192.168.X.X:631
Browsing On
BrowseLocalProtocols dnssd
BrowseAllow All
DefaultAuthType Basic
WebInterface Yes
DefaultEncryption Required
SSLPort 632
SSLListen *:632
<Location />
  Order allow,deny
  Allow 192.168.X.*
  Allow 192.168.X.*
  Allow localhost
  #Allow all
  Require user cups_print
  #Require user @SYSTEM cups_print  
</Location>
<Location /printers>
  Order allow,deny
  Allow 192.168.X.*
  Allow 192.168.X.*
 Allow localhost
  #Allow all
  AuthType Basic
  Require user cups_print
  #Require user @SYSTEM cups_print  

答案1

经过一周的努力解决这个问题后,我找到了一个解决办法。

在 Windows 10 1903 更新中,添加带有身份验证的打印机时出现问题。您必须先设置端口,甚至在添加打印机之前,之后您就可以毫无问题地添加它。您可以编辑和运行的漂亮脚本在这里

添加打印机 https 和 auth 的说明

修改寄存器并添加端口的脚本

或者您可以通过配置寄存器手动添加它,请参阅第二个链接。成功添加端口和打印机后(不会要求您提供任何凭据),转到打印机设置、端口设置并使用提供的凭据配置端口。没有它们,您将无法打印。

其次,您必须在 cupsd.conf 中授予对每个位置的访问权限,无需身份验证,甚至包括“/”和“/printers”。之后,创建策略限制<Limit Get-Printer-Attributes>,并且根本不需要在那里进行身份验证。然后在<Limit Cancel-Job CUPS-Authenticate-Job>和中启用身份验证<Limit Create-Job Print-Job Print-URI Validate-Job>

如果您尝试使用自签名证书,请点击链接 在 Windows 中添加自签名证书。不要忘记将此证书添加到“受信任的根第三方证书”中

当您将 IPP 打印机添加到 Windows 时,您必须面对更多存在问题的来源 Windows 上的 Cups 身份验证问题 Windows 上的 Cups 身份验证问题

我的 cupsd.conf(匿名)

LogLevel debug
PageLogFormat
MaxLogSize 0

SSLPort 636
SSLListen *:636

Browsing On
BrowseLocalProtocols dnssd
BrowseAllow All

DefaultAuthType Basic

WebInterface yes


DefaultEncryption required

ServerKey /etc/cups/ssl/server.key
ServerCertificate /etc/cups/ssl/server.crt

ServerAlias hostname.my_domain.net


# Restrict access to the server...
<Location />
  Order allow,deny
  Allow 192.168.X1.*
  Allow 192.168.X2.*
  Allow localhost 
</Location>

<Location /printers>
  Order allow,deny
  Allow 192.168.X1.*
  Allow 192.168.X2.*
  Allow localhost
</Location>


# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow localhost
  Deny all
</Location>

# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Allow localhost
  Order allow,deny
</Location>

# Restrict access to log files...
<Location /admin/log>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
</Location>

# Set the default printer/job policies...
<Policy default>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    Order deny,allow
    Allow all
    AuthType Basic
    Require user @SYSTEM cups_print
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    Require user @OWNER @CUPS_DEFAULT_PRINTOPERATOR_AUTH@ cups_print
    AuthType Basic
    Order deny,allow
  </Limit>

  <Limit Get-Printer-Attributes>
    Order allow,deny
    Allow all
  </Limit>

  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

# Set the authenticated printer/job policies...
<Policy authenticated>
  # Job/subscription privacy...
  JobPrivateAccess default
  JobPrivateValues default
  SubscriptionPrivateAccess default
  SubscriptionPrivateValues default

  # Job-related operations must be done by the owner or an administrator...
  <Limit Create-Job Print-Job Print-URI Validate-Job>
    AuthType Basic
    Require user @SYSTEM cups_print
    Order deny,allow
  </Limit>

  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
    AuthType Default
    Require user @OWNER @SYSTEM
    Order deny,allow
  </Limit>

  # All administration operations require an administrator to authenticate...
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
    AuthType Default
    Require user @SYSTEM
    Order deny,allow
  </Limit>

  # All printer operations require a printer operator to authenticate...
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
    AuthType Default
    Require user @CUPS_DEFAULT_PRINTOPERATOR_AUTH@
    Order deny,allow
  </Limit>

  # Only the owner or an administrator can cancel or authenticate a job...
  <Limit Cancel-Job CUPS-Authenticate-Job>
    AuthType Basic
    Require user @OWNER @CUPS_DEFAULT_PRINTOPERATOR_AUTH@ cups_print
    Order deny,allow
  </Limit>

  <Limit Get-Printer-Attributes>
    Order allow,deny
    Allow all
   </Limit>


  <Limit All>
    Order deny,allow
  </Limit>
</Policy>

答案2

警告

对于 cups 2.2.1 及更高版本,cupsd.conf 中使用的 ServerCertificate 和 ServerKey 指令已被撤销。

除非在 cups-files.conf 中将指令 CreateSelfSignedCerts 设置为“no”,否则 cups 将使用名称 ${HOSTNAME}.crt 和 ${HOSTNAME}.key 生成自己的自签名证书

证书的默认路径仍然是 cups_root + ssl 目录,但可以使用 cups-files.conf 中的指令 ServerKeyChain 进行更改。

因此,如果您有自己的证书(自签名或权威签名),则必须将它们复制到 ssl 目录中,名称为 ${HOSTNAME}.crt 和 ${HOSTNAME}.key,否则端口 631 上的 https 连接将失败,并且 /var/log/cups/error.log 包含多行抱怨无法读取证书文件的内容。

相关内容