[86] in Resnet-Forum
Stanford's Printing Authentication and Charge-Back System
daemon@ATHENA.MIT.EDU (Mike!)
Wed Dec 1 07:58:36 1993
Date: Wed, 1 Dec 1993 07:41:19 -0500
To: resnet-forum@MIT.EDU
From: Mike.W.Miller.40@nd.edu (Mike!)
A couple weeks ago I asked if anyone from Stanford could give me an
overview of their (Mac) printing authentication and charge-back system.
Stuart Cheshire <cheshire@cs.stanford.edu> was kind enough to send me this
document outlining their set-up and how it works. Be sure to read the
caveat at the end.
This is reposted with the permission of Mr. Cheshire. Dane, perhaps a copy
of this document could be put up on Stanford's W3 Residential Computing
Server?
Mike!
===================================================================
Overview of the Cheshire/Crellin Macintosh Print Accounting Package
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Cheshire/Crellin Macintosh Print Accounting Package was designed to meet
the needs of the Stanford University Residential Computing Program, and has
also been widely installed throughout other Stanford University departments.
It was developed in an environment of hundreds of printers accessible
from thousands of insecure Macintosh computers both in public computer
rooms and in student apartments networked with LocalTalk and/or Ethernet.
The security system therefore had to be (1) fool-proof, (2) fail-safe and
(3) versatile.
1. Fool Proof.
There is no log-in procedure as most security systems have, since
these systems always suffer from the user who forgets to log out, and
then after the account is abused, refuses to pay the printing bill.
Instead, the user is presented with an authentication dialog every
time a document is printed. The previous username is remembered, so
for repeated printing, only the password has to be re-entered.
For single-user Macs which are not in public use there is the option of a
'login mode' where the password is only entered for the first print job,
and reused for subsequent printing until the Mac is shut down, but there
has been no demand for this at Stanford. It appears that users do not find
that entering a password is as much of an inconvenience as we might think.
2. Fail Safe.
Like most accounting systems, the Cheshire/Crellin package requires special
software to be loaded onto the Macintosh Computers. Unlike most other systems,
this system refuses printing in the absence of that special software.
This is essential because Macintosh computers are cheap, portable, and
insecure. It is in general not possible to prevent users from modifying the
System Folder, booting the Mac off their own floppy disk, or attaching
their own Macintosh PowerBook computer to the network. Even when they have
complete control over the computer they are using and its System Software,
it must still be impossible for users to bypass the accounting system.
3. Versatile.
The system has to support different kinds of printers, with different
charging rates, and has the facility to specify individually for each
printer which users are authorized to use it. It also allows certain
user accounts and/or certain printers to require pre-payment, while
others can print first and pay later, up to some chosen credit limit.
Some departments to do not charge at all, but simply use the system
to restrict printer access to department members only.
Even when no charging is being done, wastage reduces dramatically.
The simple fact that all printing is accountable makes people much
more careful not to accidentally print program listings on the $10
per-page color printer.
The system is carefully designed not to interfere with the Macintosh
printing process. The Stanford network has every kind of Macintosh
computer, running many different versions of the Operating System,
many different applications, and many subtly different variations
of the Standard LaserWriter driver.
To minimize the possibility of incompatibility, no changes were made
to the standard Macintosh printing mechanism. Instead, a completely
separate piece of software -- the "Macintosh Authenticator" -- was
written.
Components of the Package
~~~~~~~~~~~~~~~~~~~~~~~~~
The package consists of two components, either of which may be used
individually, or both together as they are at Stanford.
1. Macintosh user authentication, provided by our authentication library
on the print servers, in conjunction with our Macintosh Authenticator
software running on the Macintosh computers.
2. Accounting, provided by our Unix print accounting package.
Details of Operational System
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
An operational system using the Cheshire/Crellin Macintosh Print
Accounting system consists of two or three components.
The first component -- the Macintosh Authenticator -- remains unchanged
in all configurations.
The second component -- the network printing service emulating a Laser-
Writer -- exists in many commercial and public domain forms, which are
simply augmented by the addition of a call to our authentication library.
The third component -- the accounting -- is optional depending on whether
you wish to account for number of pages printed or simply to control access
to certain printers (eg. expensive color printers). If you have an existing
accounting system already set up then that may be used instead of ours.
The components:
1. Macintosh Authenticator. This 'INIT' software for the Macintosh takes
up less than 20K of disk space and only 8K of System RAM when installed.
When contacted by network services requiring authentication, such as
printing, the Macintosh Authenticator prompts the user for a username and
password to verify their identity. The network service can then determine
whether access to the requested service is permitted. For example, at
Stanford, certain color printers are restricted to authorized users only.
2. Network Printing service modified to request authorization from the
Macintosh Authenticator before allowing printing.
Stanford Residential Education uses the Columbia AppleTalk Package
(CAP) LaserWriter server (lwsrv) with a call to the authentication
library added at the appropriate point. The CAP lwsrv program runs on
our NeXT computers, receives print jobs from (properly authenticated)
Macintosh users, and prints them on the attached NeXTPrinter.
The authentication at Stanford is performed using either the user's
campus-wide AFS account password, or the standard Unix password file,
but the authentication test could easily be made to use any password
mechanism to determine whether or not the offered password is correct.
It is possible to add the authentication call to any software package
offering LaserWriter service on the AppleTalk network, providing of
course that you have access to the source code in order to make the
modification. It is therefore NOT possible to add security to an
existing Apple LaserWriter, unless you have the facility to modify its
ROMs. One popular alternative is to remove the Apple LaserWriter from the
network entirely, and make it accessible only via a Unix machine running
the CAP lwsrv, which of course can be made secure. This also has the
other advantage that it obviates the need for background printing on the
Macs (ie PrintMonitor), since the Unix machine fulfills this role of
rapidly spooling the print job and then queueing it to be printed in turn.
3. Accounting package. Either our print accounting package or an existing
system may be used. The authenticating print service establishes the
Macintosh user's identity via the Macintosh Authenticator, and from there
on the accounting system tracks it exactly as if that user had logged in
and issued a normal print command (eg. "lpr filename" on Unix).
The Cheshire/Crellin accounting software is tailored for NeXT computers,
but is applicable to any Unix system. Authenticated Macintosh printing
is just one source of print jobs which are controlled by this system.
Printing by Unix "lpr" command and printing from NeXT applications
"Print" command also pass through this same accounting process.
The authenticated LaserWriter printing service queries the accounting
package to check the user's balance, so that the Macintosh user can be
informed of the current balance, and notified if the printing is disallowed.
If the user prints via "lpr" then refusal of printing is notified by a
message written to the user's tty in the manner of the Unix "write" command.
If the user prints from a NeXT application then refusal of printing is
notified by a NeXT alert window on the screen.
Example sequence of events for Macintosh printing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When a user selects "Print" from the "File" menu, the application
communicates with the LaserWriter driver, which communicates over
the network to the LaserWriter service.
A CAP lwsrv process handles the print request, first contacting the Mac-
intosh Authenticator, which prompts the user for a username and password.
If the user's identity is verified, the process sends the user's balance to
the Macintosh Authenticator which displays it on the screen, and printing
of the queued print job commences. If the user's identity is not verified,
the user is prompted again until they enter a correct username and
password, or elect to cancel the print job. Nothing is printed unless (1)
the user's identity is verified, (2) the user is authorized to use the
printer, and (3) the user has sufficient funds in their printing account,
where "sufficient" is determined according to the specific rules for that
user and that particular printer.
Caveat
~~~~~~
P.S. The authors of this print accounting package are both foreign
citizens living in the United States at Stanford on F-1 student visas,
and under current US law they are subject to deportation if this software
is offered for use outside the Stanford campus. Until US law changes,
or the authors are given "green cards" in the AA-1 visa lottery, this
restriction will continue to be a problem. Any suggestions or assistance
you can offer will be gratefully received.
