Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A fix for broken CUPS admin interface login in 10.3 System
I found recently that I couldn't log in to the CUPS administrative web interface on OS X 10.3.9 with all the updates as of 2005 August 20. I looked on Mac OS X Hints, and found at least one hint relating to this problem, but its proposed solution appeared to be obsolete, as the lines they suggested changing in the CUPS config file were different. At the web site for the makers of CUPS software, though, I found a solution in their FAQ:

MacOS X 10.3.x broke user authentication in the web interface. The following comes from the folks at Apple:

What's happening here is OS X 10.3 (Panther) switched to a form of shadow passwords that cupsd isn't able to read. The getpwent(3) man page discusses the details:

As of Mac OS X 10.3, there are now different per-user behaviours of this function, based on the AuthenticationAuthority value stored for the queried user in DirectoryServices.

If the queried user is still a legacy crypt password user, or now has an AuthenticationAuthority value containing ";basic;", these routines will behave in their standard BSD fashion. These functions will "shadow" the password file, e.g. allow only certain programs to have access to the encrypted password. If the process which calls them has an effective uid of 0, the encrypted password will be returned, otherwise, the password field of the returned structure will point to the string '*'.

By default in Mac OS X 10.3 and later all users will have an AuthenticationAuthority will contain the value ";ShadowHash;". These users will have a visible password value of "********". These functions will have no access to the encrypted password whatsoever. Setting or changing an user password must be done entirely through the DirectoryService APIs for this default user.

Two workarounds for now are:
  • Remove the <Limit GET> / </Limit> lines from /etc/cups/cupsd.conf (it appears this will allow administration without any authentication.)
  • Switch back to crypt passwords. This can be done in Netinfo Manager by changing a user's 'AuthenticationAuthority' from ';ShadowHash;' to ';basic;' and using 'openssl passwd' to set the password. The following macosxhints article talks about this: 10.3: Using UW IMAP and SSL
The CUPS CVS repositories (both Darwin's and ESP's) have been updated to install a pam(8) configuration file that works with these passwords via the pam_securityserver module. This will solve the problem in Tiger.

The Radar bug tracking this is : 7F44: Cannot access CUPS web admin after Security Update 2004-04-05

[robg adds: I haven't tested this one, but note that it does not affect 10.4 and newer...]
    •    
  • Currently 3.00 / 5
  You rated: 5 / 5 (4 votes cast)
 
[15,818 views]  

A fix for broken CUPS admin interface login in 10.3 | 3 comments | Create New Account
Click here to return to the 'A fix for broken CUPS admin interface login in 10.3' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A fix for broken CUPS admin interface login in 10.3
Authored by: leenoble_uk on Aug 26, '05 09:39:21AM

I have yet to install the latest security updates but this might be partly my fault. Seems safe to talk about this now but I reported a bug some time ago to Apple about the fact that anyone can access your cups interface simply by typing your.ip.address:631 into a web browser. Without a password they couldn't do anything except get a list of all your previously printed jobs (document names) but even that might constitute a serious information leak to a business or home user.

Probably a good idea to update now the bug is fixed.

---
So, I said ... well, I can't actually remember exactly what I said. But it was one of the most enormously cruel and frighteningly witty put downs ever.



[ Reply to This | # ]
A fix for broken CUPS admin interface login in 10.3
Authored by: squirri on Aug 26, '05 10:04:37AM

I had the same authentication problem in Panther, trying to use CUPS to let our Windows machines print to a USB HP840C Inkjet, following a hint I found here.

I used the second methos as it seemed to be a bit more secure(not that I'm a Unix expert).

The hint then worked as advertised.

When I moved up to Tiger, I did a clean install after backing up my data(there were a few settings that had got into a mess) and tried the first method - commenting out the 4 lines in /etc/cups/cupsd.conf.

This worked a treat.

Not sure which is the most secure, but the first method is much simpler and less error prone as it doesn't involve cutting and pasting password hashes. I guess you could un-comment out these lines to put the security back where it was



[ Reply to This | # ]
A fix for broken CUPS admin interface login in 10.3
Authored by: mbroughtn on Aug 26, '05 11:27:07AM

Yes, the web interface for CUPS was broken after the Security Update of 2004-04-05. It should be noted that this does not affect users of OS 10.2.x or OS 10.4.x. Additionally, it does not affect some users in OS 10.3.x due to how some accounts were carried forward from OS 10.2.x.

Access to the administrative functions via the web interface are essential for setting up serial printers in OS X. As such, I have provided a patch for this problem since its inception. You can find the patch at http://webpages.charter.net/mbroughtn/ShadowHash_Patch.html.



[ Reply to This | # ]