#, fuzzy msgid "" msgstr "" "Project-Id-Version: cups 1.4b2\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2009-01-10 21:21-0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Translate Toolkit 1.2.1\n" #: ./security.html:1 msgid "Server Security" msgstr "" #: ./security.html:2 msgid "" "In the default \"standalone\" configuration, there are few potential security " "risks - the CUPS server does not accept remote connections, and only accepts " "shared printer information from the local subnet. When you share printers " "and/or enable remote adminstration, you expose your system to potential " "unauthorized access. This help page provides an analysis of possible CUPS " "security concerns and describes how to better secure your server." msgstr "" #: ./security.html:3 msgid "Authentication Issues" msgstr "" #: ./security.html:4 msgid "" "When you enable remote administration, the server will use Basic " "authentication for adminstration tasks. The current CUPS server supports " "Basic, Digest, and local certificate authentication:" msgstr "" #: ./security.html:5 msgid "" "Basic authentication essentially places the clear \ttext of the username and " "password on the network." msgstr "" #: ./security.html:6 msgid "" "Since CUPS uses the system username and password \taccount information, the " "authentication information could \tbe used to gain access to possibly " "privileged accounts on \tthe server." msgstr "" #: ./security.html:7 msgid "" "Recommendation: Enable encryption to hide the \tusername and password " "information - this is the default on \tMacOS X and systems with GNU TLS or " "OpenSSL installed." msgstr "" #: ./security.html:8 msgid "" "Digest authentication uses an MD5 checksum of the \tusername, password, and " "domain (\"CUPS\"), so the original \tusername and password is not sent over the " "network." msgstr "" #: ./security.html:9 msgid "" "The current implementation does not authenticate the \tentire message and " "uses the client's IP address for the \tnonce value, making it possible to " "launch \"man in the \tmiddle\" and replay attacks from the same client." msgstr "" #: ./security.html:10 msgid "" "Recommendation: Enable encryption to hide the \tusername and password " "information." msgstr "" #: ./security.html:11 msgid "" "Local certificate authentication passes 128-bit \t\"certificates\" that " "identify an authenticated user. \tCertificates are created on-the-fly from " "random data and \tstored in files under /var/run/cups/certs. \tThey " "have restricted read permissions: root + \tsystem-group(s) for the root " "certificate, and lp + lp \tfor CGI certificates." msgstr "" #: ./security.html:12 msgid "" "Because certificates are only available on the local \tsystem, the CUPS " "server does not accept local \tauthentication unless the client is connected " "to the \tloopback interface (127.0.0.1 or ::1) or domain \tsocket." msgstr "" #: ./security.html:13 msgid "" "Recommendation: Ensure that unauthorized users \tare not added to the " "system group(s)." msgstr "" #: ./security.html:14 msgid "Denial of Service Attacks" msgstr "" #: ./security.html:15 msgid "" "When printer sharing or remote administration is enabled, the CUPS server, " "like all Internet services, is vulnerable to a variety of denial of service " "attacks:" msgstr "" #: ./security.html:16 msgid "" "Establishing multiple connections to the server until \tthe server will " "accept no more." msgstr "" #: ./security.html:17 msgid "" "This cannot be protected against by any known \tsoftware. The " "MaxClientsPerHost directive \tcan be used to configure CUPS to " "limit the number of \tconnections allowed from a single host, however that " "does \tnot prevent a distributed attack." msgstr "" #: ./security.html:18 msgid "Recommendation: Limit access to trusted systems \tand networks." msgstr "" #: ./security.html:19 msgid "" "Repeatedly opening and closing connections to the \tserver as fast as " "possible." msgstr "" #: ./security.html:20 msgid "" "There is no easy way of protecting against this in the \tCUPS software. If " "the attack is coming from outside the \tlocal network, it may be possible to " "filter such an \tattack. However, once the connection request has been \t" "received by the server it must at least accept the \tconnection to find out " "who is connecting." msgstr "" #: ./security.html:21 msgid "Recommendation: None." msgstr "" #: ./security.html:22 msgid "Flooding the network with broadcast packets on port \t631." msgstr "" #: ./security.html:23 msgid "" "It might be possible to disable browsing if this \tcondition is detected by " "the CUPS software, however if \tthere are large numbers of printers available " "on the \tnetwork such an algorithm might think that an attack was \toccurring " "when instead a valid update was being \treceived." msgstr "" #: ./security.html:24 msgid "" "Recommendation: Block browse packets from \tforeign or untrusted " "networks using a router or \tfirewall." msgstr "" #: ./security.html:25 msgid "" "Sending partial IPP requests; specifically, sending \tpart of an attribute " "value and then stopping \ttransmission." msgstr "" #: ./security.html:26 msgid "" "The current code will wait up to 1 second before \ttiming out the partial " "value and closing the connection. \tThis will slow the server responses to " "valid requests and \tmay lead to dropped browsing packets, but will otherwise " "\tnot affect the operation of the server." msgstr "" #: ./security.html:27 msgid "" "Recommendation: Block IPP packets from foreign \tor untrusted networks " "using a router or \tfirewall." msgstr "" #: ./security.html:28 msgid "" "Sending large/long print jobs to printers, preventing \tother users from " "printing." msgstr "" #: ./security.html:29 msgid "" "There are limited facilities for protecting against \tlarge print jobs (the " "MaxRequestSize \tattribute), however this will not protect " "printers from \tmalicious users and print files that generate hundreds or \t" "thousands of pages." msgstr "" #: ./security.html:30 msgid "" "Recommendation: Restrict printer access to \tknown hosts or networks, " "and add user-level access \tcontrols as needed for expensive printers." msgstr "" #: ./security.html:31 msgid "Encryption Issues" msgstr "" #: ./security.html:32 msgid "" "CUPS supports 128-bit SSL 3.0 and TLS 1.0 encryption of network connections " "via the OpenSSL, GNU TLS, and CDSA encryption libraries. In additional to " "the potential security issues posed by the SSL and TLS protocols, CUPS " "currently has the following additional issue:" msgstr "" #: ./security.html:33 msgid "" "Certification validation/revocation; currently CUPS \tdoes not validate or " "revoke server or client certificates \twhen establishing a secure connection. " "This can \tpotentially lead to \"man in the middle\" and \t" "impersonation/spoofing attacks over unsecured networks. \tFuture versions of " "CUPS will support both validation and \trevocation of server certificates." msgstr "" #: ./security.html:34 msgid "" "Recommendation: Do not depend on encryption for \tsecurity when " "connecting to servers over the Internet or \tuntrusted WAN links." msgstr ""