Out of the box, Ubuntu Desktop implements a hybrid solution for printing that could get a user in some trouble if they're not careful. These notes are intended to help correct that.
My reference system is running Ubuntu Desktop 18.04.5 on a x86_64 workstation with the default Gnome Project environment. The printer used for testing was a HP LaserJet Pro MFP M130nw connected to the local network over wired ethernet.
Almost everywhere on the Internet you'll see advice to download various components directly from a vendor's site. Don't. Just rely on the Ubuntu packages provided with Desktop 18.04 and later. They are more than sufficient to get the job done.
For HP and devices: You do not need to run hp-setup or any other HP utility to make this solution work on Ubuntu. In fact, I recommend against it. At least on Ubuntu, follow the procedure described below to set up printers using IPP instead. Someday I may draft a gist that deals with this for Windows machines, but I still have some living to do before that.
I think IPPS, the "Internet Printing Protocol over HTTPS", is the best choice for secure printing at work or in the home. All communications between the printer client and printer server are encrypted, and IPPS is a modern standard from this, as opposed to the last, century. It is trivial to set up printing on Windows, Mac or Linux to use it. There really is no excuse. While IPPS is preferred, some printer manufacturers may not yet have gotten with the program and as a result it can't be used without some additional configuration (this is the reason that the Microsoft printer wizard defaults to using IPP). By all means, do that additional configuration if you can. Otherwise, use unencrypted IPP and hope for better days (while airgapping your personal information from the printer).
CUPS is the "Common Unix Printing System" service that is installed with Ubuntu Desktop systems. The CUPS packages come from a 2018 release that is continuously patched by the Ubuntu Project to address any security issues. In addition, the latest packages for HPLIP provided are based on a 2019 release, and have been similarly patched.
For HP printers, the packages installed should include the following:
hplip
hplip-data
printer-driver-hpcups
If you have an older HP printer, I suggest also installingyou should also install the hpijs-ppds and
printer-driver-hpijs packages.
Before going further, I do recommend running the following to update the filename database used by your
system's locate command (to aid various software components in their efforts to find each other):
$ sudo updatedbZeroconf, or Zero Configuration is a nice dream for developers: but can be an absolute nightmare for sysadmins and users. Zeroconf aims to allow the system to configure itself automatically for all kinds of external devices, from music players to printers. For many releases of Ubuntu Desktop now, the system is designed to detect any and all printers on the local subnet that are advertising using a number of Zeroconf protocols, and automatically set them up for immediate use.
This is bad for so many reasons, but I'll posit one scenario that should give anyone pause: you sit down in your local coffee shop, acquire and Internet connection and then accidentally hit "print" on an Evince (PDF reader) window open to your soon to be filed tax return, causing it to be printed on the shop's printer back with the barristas. Now you have to kill them all.
The problem was that the avahi daemon (designed to emulate and interoperate with Apple's Bonjour, a Zeroconf service), in concert with the CUPS service, had successfully done what the Gnome Project designed them to do: automatically set up the coffee shop printer for immediate use.
NOTE: This is "helpful" behavior is also the default for MacOS and Windows, although each uses different protocols to achieve it.
Want to prevent this? Then know that you'll need to give up Zeroconf. Period. Because, at least on Ubuntu Desktop, there's no "switch" to prevent the system from using the results of its constant scanning for Zeroconf devices to then install them to your system in the background. The consequences of doing this will be that it may, nay it almost certainly will, be harder to get printers to work with your system -- and the task will be even harder given the poor and outdated state of the documentation, and the fact that it almost all relies on Zeroconf being enabled.
To disable Zeroconf for printing (and everything else):
$ sudo apt remove --purge cups-browsed
$ sudo apt remove --purge avahi-daemonNote: It is not enough to simply disable or remove the CUPS browsing daemon. You must also disable (ha, good luck with that!) or remove avahi browsing, because Gnome doesn't use CUPS to browse and install printers directly. Instead it uses avahi, which in turn uses various CUPS libraries, to get the job done.
This would be easy if Gnome's current interface for printing provided more options for manual installation of printers. But it doesn't. Because "Zeroconf will take care of that".
All hope is not lost, however, because some very smart people actually figured this out some time ago.
A Postscript Printer Definition, or PPD, is designed to provide your printing system with all the information it needs to successfully send print jobs to your printer hardware. It does this by encoding printer features in Adobe's Postscript printer programming language.
Creating PPDs would be an painfully tedious exercise, if not for the driverless utility from the CUPS project. With driverless you can create a PPD file for IPP (or IPPS) printing from an existing (IPP or IPPS enabled) printer in seconds.
All you need is the IPP or IPPS URI of the target printer, which, fortunately, is something that most vendors have standardized on: following the examples given in RFC7472. As a result, the URI will probably be either "ipp://[printer FDQN or IP Address]/ipp" (unencrypted/insecure) or "ipps://[printer FDQN or IP Address]/ipp" (encrypted/secure) for the first or default queue.
For example:
ipp://192.168.8.23/ipp
ipps://192.168.8.23/ipp
ipp://printer1.example.com/ipp
ipps://printer1.example.com/ipp
You can create a PPD with driverless by running it with the printer's IPP URI:
$ export IPP_URI="ipps://printer1.example.com/ipp"
$ driverless $IPP_URI > ippdriverless.ppdThe resulting PPD file can be imported through the CUPS system-config-printer GUI (found in Ubuntu under "Settings... Devices... Printers..." in the Gnome desktop system).
- Click "Additional Printer Settings... Add".
- Wait for the dialog to populate and select either "Internet Printing Protocol (ipp)" or "Internet Printing Protocol (ipps)".
- Enter the IPP URI for the printer, then click "Forward".
- On the "Choose Driver" screen, click "Provide PPD file".
- Browse your filesystem for the file and "Open". Then click "Forward",
- Fill out the "Describe Printer" form and "Apply".
- Print a test page to verify it works.
OR...
You could just use CUPS's lpadmin in a terminal:
$ lpadmin -p printer1 -E -v ipp://printer1.example.com/ipp -P ~/tmp/ippdriverless.ppdWhere -p is the display name of the printer, -E enables it, -v is the printer URI, and -P the full path to the printer's PPD file.
Having a PPD on hand is the key to making this such an easy task.
Check out the CUPS Project doc on Command-Line Printer Administration and Command-Line Printing Options for more.
You won't have control over the configuration for some of the printers your machine encounters. But for those you do have control over, it might be time for a review of just what they're opened up to.
I especially like this support article: HP Printers - Minimum security settings for products on the open Internet.
There are more models of printers in the universe than there are earth-like planets, or so it sometimes seems. For security purposes, most modern printers ship by default with pretty much every access protocol enabled. That is A Bad Thing [TM]. In my home, at least, these are the only protocols left enabled on our printers:
- IPv4
- IPv6
- IPP Printing
- IPPS Printing
- eCCL
- Show IP Address
- WS-Discovery
- WS-Scan
Why WS-Discovery and WS-Scan? Because the dumb Windows clients here at the house can't acquire the MFP scanner over the network without them. A regrettable but necessary compromise (one that isn't necessary with our Linux machines -- see this gist on that). Note that eCCL is used to send a "wake-up call" to a sleeping printer on the local network.
Since our printers all have up-to-date wildcard certs issued by Let's Encrypt installed, we never have cert errors using IPPS.
What we've explicitly disabled is:
Printing Protocols
- LPD
- LPD Banner Page Printing
- 9100 Printing
- Apple AirPrint
- FTP Printing
Discovery and Configuration Protocols
- SLP
- Bonjour (Apple)
- eSCL (Apple AirPrint-Scan)
- WS-Print
- SOAP Scan
- LLMNR
Printer Networking
- DHCP
- DHCPv6
- BOOTIP
- AUTOIP
- Enable DHCPv4 FDQN compliance with RFC 4702
Most of these are there to support Zeroconf using various technologies. Some were adopted as standards at some point, others promoted as proprietary solutions by one or more vendors or industry groups. None are essential to providing print services, unless you're running a 1990s mainframe, a pre-Darwin Mac or maybe an iPhone (my Android can do IPPS printing).