1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 2 3<html> 4 <head> 5 <meta name="generator" content="HTML Tidy, see www.w3.org"> 6 <title>Using SSL for Authentication</title> 7 <meta name="GENERATOR" content= 8 "Modular DocBook HTML Stylesheet Version 1.7"> 9 <link rel="HOME" title=" LPRng Reference Manual" href= 10 "index.htm"> 11 <link rel="UP" title="Permissions and Authentication " href= 12 "permsref.htm"> 13 <link rel="PREVIOUS" title= 14 "Using Kerberos 4 for Authentication" href="x9386.htm"> 15 <link rel="NEXT" title="Using MD5 for Authentication" href= 16 "x9489.htm"> 17 </head> 18 19 <body class="SECT1" bgcolor="#FFFFFF" text="#000000" link= 20 "#0000FF" vlink="#840084" alink="#0000FF"> 21 <div class="NAVHEADER"> 22 <table summary="Header navigation table" width="100%" border= 23 "0" cellpadding="0" cellspacing="0"> 24 <tr> 25 <th colspan="3" align="center">LPRng Reference Manual: 5 26 Sep 2003 (For LPRng-3.8.22)</th> 27 </tr> 28 29 <tr> 30 <td width="10%" align="left" valign="bottom"><a href= 31 "x9386.htm" accesskey="P">Prev</a></td> 32 33 <td width="80%" align="center" valign="bottom">Chapter 34 17. Permissions and Authentication</td> 35 36 <td width="10%" align="right" valign="bottom"><a href= 37 "x9489.htm" accesskey="N">Next</a></td> 38 </tr> 39 </table> 40 <hr align="LEFT" width="100%"> 41 </div> 42 43 <div class="SECT1"> 44 <h1 class="SECT1"><a name="AEN9412">17.15. Using SSL for 45 Authentication</a></h1> 46 47 <p><b class="APPLICATION">LPRng</b> has built-in support for 48 using SSL as an authentication method. The implementation is 49 based on OpenSSL 0.9.6c and the associated libraries as of of 50 3 June 2002. The distribution was obtained from the OpenSSL 51 group from the <span class="emphasis"><i class="EMPHASIS"><a 52 href="http://www.openssl.org" target= 53 "_top">http://www.openssl.org</a></i></span> Website.</p> 54 55 <p>SSL authentication is based a private key/secret key 56 technology, where the various keys are placed in files (or 57 data structures) called <span class="emphasis"><i class= 58 "EMPHASIS">certificates</i></span> or <var class= 59 "LITERAL">certs</var>, and the certificates are <span class= 60 "emphasis"><i class="EMPHASIS">signed</i></span> by 61 calculating a checksum over the certificate, encypting the 62 checksum and other information using the private key of a 63 <span class="emphasis"><i class="EMPHASIS">signing</i></span> 64 certificate. The top level or <span class="emphasis"><i 65 class="EMPHASIS">root</i></span> certificate is signed by its 66 own key; lower level signing certificates can be created 67 which are signed by the top level or root certificate, and in 68 turn can sign other signing certificates. User certificates 69 can be created and signed by a signing certificate which can 70 be used in the SSL protocol for authentication purposes. The 71 following objects are needed to use SSL encryption.</p> 72 73 <ol type="1"> 74 <li> 75 <p>A top level or root certificates and a set of signing 76 certificates. By convention, these are stored in the <tt 77 class="FILENAME">/etc/lpd/ssl.ca</tt> directory; the root 78 certificate is usually the <tt class= 79 "FILENAME">ca.crt</tt> file.</p> 80 </li> 81 82 <li> 83 <p>Each server has a certificate and private key file 84 which are used to identify the server and sign the SSL 85 messages. The private key file is usually stored in an 86 encrypted form and a password is required unlock the 87 file. By convention, the server files are stored in the 88 <tt class="FILENAME">/etc/lpd/ssl.server</tt> directory; 89 the <tt class="FILENAME">server.crt</tt> file contains 90 the server certificate and (encrypted) private key; the 91 <tt class="FILENAME">server.pwd</tt> file contains the 92 password to decrypt the private key.</p> 93 </li> 94 95 <li> 96 <p>Each user has a certificate and private key file which 97 are used to identify the user and sign the SSL messages. 98 The private key file is usually stored in an encrypted 99 form and a password is required unlock the file. By 100 convention, the user files are stored in the <tt class= 101 "FILENAME">${HOME}/.lpr</tt> directory; the <tt class= 102 "FILENAME">client.crt</tt> file contains the client 103 certificate and (encrypted) private key; the <tt class= 104 "FILENAME">client.pwd</tt> file contains the password to 105 decrypt the private key.</p> 106 </li> 107 108 <li> 109 <p>A utility to create and manage the SSL certificate 110 files.</p> 111 </li> 112 </ol> 113 <br> 114 <br> 115 116 <p>The locations of the SSL files can be specified by various 117 options to <b class="APPLICATION">configure</b> facility and 118 by values in the the <var class="LITERAL">lpd.conf</var> 119 file.</p> 120 121 <div class="SECT2"> 122 <h2 class="SECT2"><a name="AEN9445">17.15.1. Certificate 123 Management</a></h2> 124 125 <p>The <b class="APPLICATION">lprng_cert</b> utility is 126 used to set up the various directories and files required 127 for SSL authentication. This code was derived from similar 128 facilities developed for the <var class= 129 "LITERAL">mod_ssl</var> extensions to the <b class= 130 "APPLICATION">Apache</b> web server. This interactive 131 utility is very verbose and has extensive comments and 132 assistance.</p> 133 134 <div class="INFORMALEXAMPLE"> 135 <a name="AEN9451"></a> 136<pre class="SCREEN"> 137 h110: {111} % lprng_certs 138 lprng_certs -- LPRng SSL Certificate Management 139 Copyright (c) 2002 Patrick Powell 140 Based on CCA by Ralf S. Engelschall 141 (Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.) 142 143 usage: lprng_certs option 144 init - make directory structure 145 newca - make new root CA and default values for certs 146 defaults - set new default values for certs 147 gen - generate user, server, or signing cert 148 verify [cert] - verify cert file 149 index [dir] - make certificate index files in directory dir 150 encrypt keyfile - set or change password on private key file 151</pre> 152 </div> 153 <br> 154 <br> 155 156 <p>The <var class="LITERAL">lprng_certs init</var> option 157 will create the necessary directories for the <b class= 158 "APPLICATION">LPRng</b> software on a system. The <var 159 class="LITERAL">lprng_certs newca</var> option will create 160 the root level certificate and set up a set of defaults for 161 the creation of other certificates. The <var class= 162 "LITERAL">lprng_certs defaults</var> option allows viewing 163 and editting of the various default values. The <var class= 164 "LITERAL">lprng_certs gen</var> option is used to create 165 and sign new certificate files. The OpenSSL software 166 assumes that the file names of the signing certificate 167 files have a special format; the <var class= 168 "LITERAL">lprng_certs index</var> creates links of the 169 required format to the certificate files. Finally, the <var 170 class="LITERAL">lprng_certs verify</var> and the <var 171 class="LITERAL">lprng_certs encrypt</var> facilities can be 172 used to verify that the certificate files have the proper 173 format and to change the private key password 174 respectively.</p> 175 </div> 176 177 <div class="SECT2"> 178 <h2 class="SECT2"><a name="AEN9462">17.15.2. Creating Root 179 Certificate</a></h2> 180 181 <p>The <var class="LITERAL">lprng_certs newca</var> option 182 is used to create a new root signing certificate and to 183 establish defaults.</p> 184 185 <div class="INFORMALEXAMPLE"> 186 <a name="AEN9466"></a> 187<pre class="SCREEN"> 188 h110: {112} #> lprng_certs newca 189 lprng_certs -- LPRng SSL Certificate Management 190 Copyright (c) 2002 Patrick Powell 191 Based on CCA by Ralf S. Engelschall 192 (Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.) 193 194 INITIALIZATION - SET DEFAULTS 195 ... 196 ______________________________________________________________________ 197 198 STEP 1: Generating RSA private key for CA (1024 bit) 199 ______________________________________________________________________ 200 201 STEP 2: Generating X.509 certificate signing request for CA 202 ______________________________________________________________________ 203 204 STEP 3: Generating X.509 certificate for CA signed by itself 205 ______________________________________________________________________ 206 207 RESULT: 208 /etc/lpd/ssl.ca/ca.crt: 209 /C=US/ST=California/L=San Diego/O=Astart/OU=Certificate Authority/\ 210 CN=Astart CA/Email=id@astart.com 211 error 18 at 0 depth lookup:self signed certificate 212 OK 213 ______________________________________________________________________ 214 215 STEP 4. Encrypting RSA private key with a pass phrase for security 216 The contents of the certificate key file (the generated private 217 key) should be echo kept secret, especially so if it is used to 218 sign Certificates or for User authentication. SSL experts strongly 219 recommend you to encrypt the key file with a Triple-DES cipher and 220 a Pass Phrase. When using LPRng, you provide the password via a 221 file specified by the LPR_SSL_PASSWORD environent variable, or in 222 the ${HOME}/.lpr/client.pwd file. The LPD server uses the 223 ssl_server_password_file option to specify the location of a file 224 containing the password. See the LPRng Reference Manual for details, or the 225 printcap(5) man page. 226 227 key file is /etc/lpd/ssl.ca/ca.key 228 Encrypt the private key now? [Y/n]: y 229 Fine, you're using an encrypted private key to sign CERTS. 230</pre> 231 </div> 232 <br> 233 <br> 234 </div> 235 236 <div class="SECT2"> 237 <h2 class="SECT2"><a name="AEN9468">17.15.3. Creating 238 Client and Server Certificates</a></h2> 239 240 <p>The <var class="LITERAL">lprng_certs gen</var> option 241 allows the creation of client and server identification 242 certificates. By convention, these are created in a default 243 directory and the system administrator then copies them to 244 the appropriate client or server directory.</p> 245 246 <div class="INFORMALEXAMPLE"> 247 <a name="AEN9472"></a> 248<pre class="SCREEN"> 249 h110: {112} #> lprng_certs gen 250 lprng_certs -- LPRng SSL Certificate Management 251 Copyright (c) 2002 Patrick Powell 252 Based on CCA by Ralf S. Engelschall 253 (Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.) 254 255 CERTIFICATE GENERATION 256 What type of certificate? User/Server/Signing Authority/Help? [u/s/a/H] 257 Create in '/etc/lpd/ssl.certs' [return for yes, or specify directory] 258 CERT name 'user-10'? [return for yes, or specify name] papowell 259 CERT name 'papowell'? [return for yes, or specify name] 260 Creating papowell in /etc/lpd/ssl.certs 261 Sign with Certificate '/etc/lpd/ssl.ca/ca.crt' \ 262 [return for yes, ? for list, or specify cert file] ? 263 Possible CERTS in directory '/etc/lpd/ssl.ca' are: 264 /etc/lpd/ssl.ca/ca.crt 265 /etc/lpd/ssl.ca/signer1.crt 266 /etc/lpd/ssl.ca/tsign.crt 267 Sign with Certificate '/etc/lpd/ssl.ca/ca.crt' \ 268 [return for yes, ? for list, or specify cert file] signer1 269 Match Found /etc/lpd/ssl.ca/signer1.crt 270 Sign with Certificate '/etc/lpd/ssl.ca/signer1.crt' \ 271 [return for yes, ? for list, or specify cert file] 272 Private key in /etc/lpd/ssl.ca/signer1.crt 273 274 Generating user Certificate [papowell] 275 276 STEP 1: Generating RSA private key for user (1024 bit) 277 278 STEP 2: Generating X.509 certificate signing request for user 279 .... 280 281 STEP 3: Generating X.509 certificate signed by /etc/lpd/ssl.ca/signer1.crt 282 ... 283 284 RESULT: 285 /etc/lpd/ssl.certs/papowell.crt: OK 286 287 STEP 4. Enrypting RSA private key /etc/lpd/ssl.certs/papowell.key 288 with a pass phrase for security 289 290 Encrypt the private key now? [Y/n]: Fine, you're using an encrypted 291 private key to sign CERTS. 292 293 STEP 5: Combine CERT and KEY file 294 Generate single CERT and KEY file? [Y/n] 295 296 Use the following commands to examine the CERT and KEY files: 297 openssl x509 -text -in /etc/lpd/ssl.certs/papowell.crt 298 openssl rsa -text -in /etc/lpd/ssl.certs/papowell.crt 299</pre> 300 </div> 301 <br> 302 <br> 303 304 <p>After the certificate file has been created, then it 305 should be copied to the appropriate location: <tt class= 306 "FILENAME">/etc/lpd/ssl.server/server.crt</tt> and the 307 password in <tt class= 308 "FILENAME">/etc/lpd/ssl.server/server.pwd</tt>, for a 309 server or <tt class="FILENAME">${HOME}/.lpr/client.crt</tt> 310 and the password in <tt class= 311 "FILENAME">${HOME}/.lpr/client.pwd</tt> for a user.</p> 312 </div> 313 314 <div class="SECT2"> 315 <h2 class="SECT2"><a name="AEN9479">17.15.4. Creating 316 Signing Certificates</a></h2> 317 318 <p>Having only one signing certificate, i.e. - the root 319 certificate, may make it difficult to delegate authority 320 for the creation of user certificates and/or server 321 certificates. The <var class="LITERAL">lprng_certs 322 gen</var> facility can be used to create a certificate that 323 can be used to sign other certificates.</p> 324 </div> 325 326 <div class="SECT2"> 327 <h2 class="SECT2"><a name="AEN9483">17.15.5. Permissions 328 and Certificate Revocation</a></h2> 329 330 <p>The certificate revocation facility is not implemented 331 in <b class="APPLICATION">LPRng</b>, due to various 332 technical and management issues. Instead, the <var class= 333 "LITERAL">AUTHUSER</var> and <var class= 334 "LITERAL">AUTHCA</var> and</p> 335 </div> 336 </div> 337 338 <div class="NAVFOOTER"> 339 <hr align="LEFT" width="100%"> 340 341 <table summary="Footer navigation table" width="100%" border= 342 "0" cellpadding="0" cellspacing="0"> 343 <tr> 344 <td width="33%" align="left" valign="top"><a href= 345 "x9386.htm" accesskey="P">Prev</a></td> 346 347 <td width="34%" align="center" valign="top"><a href= 348 "index.htm" accesskey="H">Home</a></td> 349 350 <td width="33%" align="right" valign="top"><a href= 351 "x9489.htm" accesskey="N">Next</a></td> 352 </tr> 353 354 <tr> 355 <td width="33%" align="left" valign="top">Using Kerberos 356 4 for Authentication</td> 357 358 <td width="34%" align="center" valign="top"><a href= 359 "permsref.htm" accesskey="U">Up</a></td> 360 361 <td width="33%" align="right" valign="top">Using MD5 for 362 Authentication</td> 363 </tr> 364 </table> 365 </div> 366 </body> 367</html> 368 369