Current best practices for shared printing over the LAN?
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
#1 "best practices" is the buzz that vendors use to convince you to buy the product on which they get the most commission over time. It is also used by proprietary product providers to get you to avoid using better products. It has as much value as "industry standard", which means whatever the speaker wants it to mean.
#3 All of my printing is over a secured internal network. I use encryption on production and work networks, but not on an internal isolated secure subnet. You must evaluate your risk environment to determine if encryption for this specific traffic is appropriate.
#1 "best practices" is the buzz that vendors use to convince you to buy the product on which they get the most commission over time. It is also used by proprietary product providers to get you to avoid using better products. It has as much value as "industry standard", which means whatever the speaker wants it to mean.
I figure on LQ it would still actually mean something, though the phrase does seem to have become co-opted elsewhere. I notice a lot of phrases which were ok a while back have changed meaning to nearly their opposites lately.
Thanks. No, I have not looked at it lately, which is one of the reasons for asking. In particular, anything FOSS but not CUPS would be interesting. I see that most of the pages on the CUPS site are at least two or more years since their last update, and some contain incorrect information.
Other than that, the link you provide is useful, yet it does not surface easily in any of the hour or so of searching I did so far. However, that page does seem to suggest that only the server has its own certificates. What about also having client certificates so that the server knows which connections to allow, sort of like how MQTT does it?
Quote:
Originally Posted by wpeckham
#3 All of my printing is over a secured internal network. I use encryption on production and work networks, but not on an internal isolated secure subnet. You must evaluate your risk environment to determine if encryption for this specific traffic is appropriate.
Maybe half of these print jobs would be over Wi-Fi (WPA2) which in no way can be considered secure. Furthermore, there is massive RF interference intermittently. So I see encryption as essential, not just for the privacy and authenticity aspects.
Back to the certificate problem, it looks like tunneling port 631 TCP over SSH would be the way to go. Then that account would have a locked key and be a member of the group with CUPS access. That would take care of verifying the client as well as the encryption. It just seems like an inefficient and maybe inappropriate move to tunnel TCP over TCP.
... Maybe half of these print jobs would be over Wi-Fi (WPA2) which in no way can be considered secure. Furthermore, there is massive RF interference intermittently. So I see encryption as essential, not just for the privacy and authenticity aspects.
Under those conditions the wonder will be if you can print reliably at all using ANY tools! Finding the source of the "noise" and shielding things to prevent that RF problem would be wonderful!
Quote:
Back to the certificate problem, it looks like tunneling port 631 TCP over SSH would be the way to go. Then that account would have a locked key and be a member of the group with CUPS access. That would take care of verifying the client as well as the encryption. It just seems like an inefficient and maybe inappropriate move to tunnel TCP over TCP.
ANY encryption tunnel is IP of IP, you have just added overhead by encrypting the traffic for security. It will be slower and the packets will either be larger or increased in number. I consider that a worthwhile tradeoff.
SSH uses an SSL encryption tunnel, and will do all of the handshake for you. Where that is an option on both ends it should work. While you could do the encryption entirely under CUPS directly, ssh should serve well enough.
The only alternative to CUPS I have used is LPRNG, which is getting rather long in the tooth these days. Either beats the old LPR/LP/LPD systems. Recent versions of LPRNG can coexist with CUPS, but I have no idea what the advantage in that might be.
When Michael Sweet left Apple in 2019 cups was forked and now there are two versions. Depending on distribution/version linux should use the OpenPrinting version https://openprinting.github.io/cups/ and not Apple cups.
cups does have user authentication which may or may not be satisfactory for your use.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.