Adding Printer via omv-cups fails

  • Hey ladies and gentlemen!


    I have big troubles adding a(ny) printer (two different Epson Stylus Inkers) to omv. Both are recognized by system and I can choose them in the add-printer prompt. But that's all. I can't finish the configuration - it always stucks!


    I surfed the web already and the only real suggestion (it wasn't omv related) I found was to remove the package(s) "foomatic-*" which is only needed for HP-Printers. I tried but couldn't manage it without to remove the package "openmediavault-cups" too - which is quite senseless...


    So till here I had no luck - any suggestions? ?(


    Hardware:
    Bufallo Linkstation
    Platform: armv5tel
    Kernel: 3.2.0-4-orion5x #1 Debian 3.2.65-1+deb7u2
    OMV Version: 1.16



    Errormessage via CUPS-Interface


    Errormessage via OMV-Interface
    [img=http://s3.postimg.org/9xolowe27/add_printer_via_omv.jpg]

    :thumbup: Heads up! You’re editing your own user account, careless changes might lock you out! :whistling:
    _____________________________________________________________________________


    :) :( ;) :P ^^ :D ;( X( :* :| 8o =O || :/ :S X/ 8) :huh: :rolleyes: 8| :thumbdown: :thumbup: :thumbup: :sleeping: :whistling:
    _____________________________________________________________________________

  • This is serious sh!t


    Another thing I just found out is that the encryption on the cups-webinterface which is automatically installed with the "openmediavault-cups" package (omv ip with port 631) is broken!


    This is a quite high security risk (panic!) as it' uses the same credentials to login as the omv-webinterface.


    A man-in-the-middle is an ease (even with a simple browser extension!) --> resulting having the admin/root credentials with password in clear text for the whole system! :cursing:


    S U P E R - G A U ! <X<X<X



    Another plugin I checked was extplorer which uses the same (normally very strong) certificate as for the omv-webinterface :thumbup:
    My syncthing installation which creates there on certificate is also very strong :thumbup:

    :thumbup: Heads up! You’re editing your own user account, careless changes might lock you out! :whistling:
    _____________________________________________________________________________


    :) :( ;) :P ^^ :D ;( X( :* :| 8o =O || :/ :S X/ 8) :huh: :rolleyes: 8| :thumbdown: :thumbup: :thumbup: :sleeping: :whistling:
    _____________________________________________________________________________

    Einmal editiert, zuletzt von username ()

  • And why would this be a problem if you don't forward port 631 from your router to your OMV???? Do'h!!


    Also, when you click on the Administration TAB it forces you to upgrade to SSL. You are not queried for your credentials until you are in a SSL session.


    You could also add a firewall rule like this so it can only be accessed on your LAN. See pic...

  • And why would this be a problem if you don't forward port 631 from your router to your OMV???? Do'h!!


    Why shouldn't this be a problem? Do'h!


    Also, when you click on the Administration TAB it forces you to upgrade to SSL. You are not queried for your credentials until you are in a SSL session.


    It's weak. The SSL session is weak! Actually very weak!


    You could also add a firewall rule like this so it can only be accessed on your LAN. See pic...


    What? It's not exposed to the WAN if it's behind a router with nat...

    :thumbup: Heads up! You’re editing your own user account, careless changes might lock you out! :whistling:
    _____________________________________________________________________________


    :) :( ;) :P ^^ :D ;( X( :* :| 8o =O || :/ :S X/ 8) :huh: :rolleyes: 8| :thumbdown: :thumbup: :thumbup: :sleeping: :whistling:
    _____________________________________________________________________________

  • Yeah, so why does it matter if you do not do it over the web. Most are not going to change admin settings of cups via the internet. They will do it on their LAN.


    It is not exposed to the internet if it is behind your router's firewall, unless you forward a port to it.

  • It's weak. The SSL session is weak! Actually very weak!


    It uses SHA1 instead of SHA256. I want to point out that we don't generate the certs for CUPS. I actually don't know where/when they're generated but my guess is in the package from Debian. If that's the case I would guess it's already been changed in Jessie.

  • Yeah, so why does it matter if you do not do it over the web. Most are not going to change admin settings of cups via the internet. They will do it on their LAN.

    It is not exposed to the internet if it is behind your router's firewall, unless you forward a port to it.



    Sorry, I can't allow that! It's a matter of security. No difference between LAN or WAN: Different network same broken encryption




    It uses
    SHA1 instead of SHA256. I want to point out that we don't generate the
    certs for CUPS. I actually don't know where/when they're generated but
    my guess is in the package from Debian. [...]


    You pointed it out. Thank's!


    OMV makes a good job with SSL encryption so far - but this (CUPS uses same credentials with a broken ssl-cert as OMV) actually ruins it all. We will hope that it will get fixed soon! Should be top prio!

    :thumbup: Heads up! You’re editing your own user account, careless changes might lock you out! :whistling:
    _____________________________________________________________________________


    :) :( ;) :P ^^ :D ;( X( :* :| 8o =O || :/ :S X/ 8) :huh: :rolleyes: 8| :thumbdown: :thumbup: :thumbup: :sleeping: :whistling:
    _____________________________________________________________________________

  • I've tracked down the certificate generation now. The certificate CUPS is using (/etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key) is generated by the ssl-cert package. In Wheezy the version is 1.0.32 and this version generates a SHA1 certificate. According to the changelog (found here) they changed from SHA1 to SHA2 in version 1.0.34. Version 1.0.35 is found in Jessie.

  • Different network same broken encryption


    Here are people that open port 80 to the WAN. You're the first to actually care about any SSL security flaws inside LAN. Do you expect a Man-in-the-Middle Attack inside your LAN?


    Your concern may be valid. But the risk is nearly zero to nothing.


    As HK pointed out, it's not in our Hands to change something that is controlled by a package maintainer. You can request however that we take a look into this issue and see if we could improve the the certificate creation on Wheezy, manually. Not sure if thats possible with 1.0.32. ;)


    PS: You're right. You're just the first one to notice and to care about it.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

    Einmal editiert, zuletzt von davidh2k ()

  • CUPS uses same credentials with a broken ssl-cert as OMV


    No, all he is saying is not correct. The cert is not broken. It just does not provide the higher level of security/encryption of SHA2. He could use a firewall rule to limit the PCs that can access on the LAN.

  • No, all he is saying is not correct. The cert is not broken. It just does not provide the higher level of security/encryption of SHA2. He could use a firewall rule to limit the PCs that can access on the LAN.


    No, all he is saying is correct. The cert is technically broken because it' uses broken or very-weak (easy to break) techniques. There is people they give a sh!t about security (like the german goverment, many companies and probably you) but for people who care about data integrity and security in general this is not a way to go! There is also people who use Microsoft Windows XP.... <X ...and ATM's using MS Win XP :thumbup:


    As today it's still uses the broken cert (and old cups-version 1.5.3)

    :thumbup: Heads up! You’re editing your own user account, careless changes might lock you out! :whistling:
    _____________________________________________________________________________


    :) :( ;) :P ^^ :D ;( X( :* :| 8o =O || :/ :S X/ 8) :huh: :rolleyes: 8| :thumbdown: :thumbup: :thumbup: :sleeping: :whistling:
    _____________________________________________________________________________


  • BACK TO TOPIC:


    I found out that there is no suitable driver - or that the right driver can't be selceted:


    I hit:

    Code
    sudo lpinfo --make-and-model 'Epson Stylus DX' -m


    and the response is

    Code
    lpinfo: Success


    but the response should be


    ...like it' is on my client machine.


    How can I get the things right in OMV? How can I add printing-drivers to my OMV-Installation?

    :thumbup: Heads up! You’re editing your own user account, careless changes might lock you out! :whistling:
    _____________________________________________________________________________


    :) :( ;) :P ^^ :D ;( X( :* :| 8o =O || :/ :S X/ 8) :huh: :rolleyes: 8| :thumbdown: :thumbup: :thumbup: :sleeping: :whistling:
    _____________________________________________________________________________

    Einmal editiert, zuletzt von username ()

  • The two times I've added printer to omv I went to the manufacturer Web and grab the driver there. Brother gives you the package in deb and rpm. Don't know about Epson. I've read the whole post I couldn't find which printer where you trying to add.


    I want to add an Epson Stylus DX 3850 or/and an Epson D88 which both are using a gutenprint driver: http://www.openprinting.org/driver/gutenprint


    The package which contain the driver should be: printer-driver-gutenprint (https://packages.debian.org/wheezy/printer-driver-gutenprint)


    I actually have the package installed on my system but I can't access them via cups. I once read something that there is an option to merge something to see the drivers in lpinfo - but I don't know what ?(

    :thumbup: Heads up! You’re editing your own user account, careless changes might lock you out! :whistling:
    _____________________________________________________________________________


    :) :( ;) :P ^^ :D ;( X( :* :| 8o =O || :/ :S X/ 8) :huh: :rolleyes: 8| :thumbdown: :thumbup: :thumbup: :sleeping: :whistling:
    _____________________________________________________________________________

    • Offizieller Beitrag

    I run the command lpinfo --make-and-model 'Epson Stylus DX' -m and gave me all the drivers.


    Also lpinfo -m | grep Epson | grep DX outputed correctly






    Code
    dpkg -l | grep guten
    ii  libgutenprint2                                              5.2.9-1                            amd64        runtime for the Gutenprint printer driver library
    ii  printer-driver-gutenprint                                   5.2.9-1                            amd64        printer drivers for CUPS
  • I have it all:


    dpkg -l | grep guten


    Code
    ii  cups-driver-gutenprint               5.2.9-1                       all          transitional dummy package for gutenprint printer driver
    ii  foomatic-db-gutenprint               5.2.9-1                       all          OpenPrinting printer support - database for Gutenprint printer drivers
    ii  gutenprint-locales                   5.2.9-1                       all          locale data files for Gutenprint
    ii  ijsgutenprint                        5.2.9-1                       armel        inkjet server - Ghostscript driver for Gutenprint
    ii  libgutenprint2                       5.2.9-1                       armel        runtime for the Gutenprint printer driver library
    ii  printer-driver-gutenprint            5.2.9-1                       armel        printer drivers for CUPS


    Maybe to much? I read that these foomatic* stuff (as I know for hp-devices only) causes problems with other drivers. One hint was to kick it from the system - but because of dependences I can't do it. It will remove all cups components too...


    lpinfo -m | grep Epson | grep DX


    Code
    lpinfo: Success


    8|

    :thumbup: Heads up! You’re editing your own user account, careless changes might lock you out! :whistling:
    _____________________________________________________________________________


    :) :( ;) :P ^^ :D ;( X( :* :| 8o =O || :/ :S X/ 8) :huh: :rolleyes: 8| :thumbdown: :thumbup: :thumbup: :sleeping: :whistling:
    _____________________________________________________________________________

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!