Hi Everyone,

Here's a bit of background which you can skip unless you want to know why I created this workaround:

There is a printer on the network in the building of my office which does not allow printing through its http interface unless you are physically connected to the network. While in my office, I generally connect to the building's routers with my laptop, as my desk is quite far from the Ethernet socket. At any rate, the printer does not consider the building's router to be a part of the network. I do have an account on a server connected to the printer which I can SSH into. So I have created a bit of a workaround (described below) which allows me to print somewhat seamlessly through CUPS. It is quite an ugly solution but I am mostly curious without potential security issues I have opened up. Of course if anyone has suggestions to make it less ugly, I certainly wouldn't turn them down.

So anyway, here's my most-likely-insecure workaround:

I created a CUPS backend which is really a script whose main function is to run

sudo ssh -l$USER -i$ID_RSA $SERVER < $6 &>> $LOGFILE || exit 1

Where $USER is of course my username on $SERVER, and $ID_RSA is a password-less ssh-key which can only be used by root which I specifically creaated for workaround. (Note that in a CUPS backend, $6 is the location of a ps file with CUPS creates to be printed)

The corresponding entry in the authorized_keys file on the server starts with

command="lp -" ssh-rsa ...

So that using the specific $ID_RSA (to my best understanding) will only try to print the file I supply and then close the connection.

The sudo command is allowed by the sudoers file as such:

%lp ALL=NOPASSWD:/usr/bin/ssh -l$USER -i$ID_RSA $SERVER

where of course the variables are the actual ones I would use. The point is only this one very specific command cay be used by users in lp without a password. Furthermore, no users are in the lp group except root (and the CUPS daemon runs as user "daemon" in group lp, so it can sudo this command without a password).

I am sure there are many security holes in this, but I don't know enough to point them out. So I am turning to those with more experience. Thanks for taking the time to read this!

Thanks,
Ryan