Overview of the Cheshire/Crellin Macintosh Print Accounting Package

The Cheshire/Crellin Macintosh Print Accounting Package was designed as a low-cost solution to meet the needs of the Stanford University Residential Computing Program, and has also been widely installed throughout other Stanford University departments.

The Cheshire/Crellin Macintosh Print Accounting Package was developed in an environment of hundreds of printers accessible from thousands of insecure Macintosh computers both in public computer rooms and in student apartments networked with LocalTalk and/or Ethernet.

The security system therefore had to be:

1. Fool-Proof (Stanford has its share of novice computer users),
2. Fail-Safe (Stanford is well endowed with hackers) and
3. Versatile (to cope with the variety of hardware and software in use).

1. Fool-Proof

There is no log-in procedure as there is with most security systems, since these systems always suffer from the user who forgets to log out, and then after the account is abused, refuses to pay the printing bill.

Instead, the user is presented with an authentication dialog every time a document is printed. The previous username is remembered, so for repeated printing, only the password has to be re-entered.

For single-user Macs which are not in public use a 'login mode' is planned where the password is only entered for the first print job, and is reused for subsequent printing until the Mac is shut down. There has been no demand for this at Stanford, so it has not been implemented yet. It appears that users do not find that entering a password is as much of an inconvenience as we might think. This capability is priced as an optional addition to the package*.

2. Fail-Safe

Like all Macintosh print accounting accounting solutions, the Cheshire/Crellin package requires special software to be loaded onto the Macintosh Computers. Unlike most other systems, in the absence of that special software this system simply rejects any attempted print jobs.

This is essential because Macintosh computers are cheap, portable, and insecure. It is in general not possible to prevent users from modifying the System Folder, booting the Mac off their own floppy disk, or even attaching their own Macintosh PowerBook computer to the network in an attempt to obtain free printing. Even when they have complete control over the computer they are using and its System Software, it must still be impossible for users to bypass the authentication system.

3. Versatile

The system has to support different kinds of printers, with different charging rates, and has the facility to specify individually for each printer which users are authorized to use it. It also allows certain user accounts and/or certain printers to require pre-payment, while others can print first and pay later, up to some chosen credit limit. Some departments to do not charge at all, but simply use the system to restrict printer access to department members only.

Even when no charging is being done, wastage reduces dramatically. The simple fact that all printing is accountable makes people much more careful not to accidentally print program listings on the $1 per-page color printer.

The system is carefully designed not to interfere with the Macintosh printing process. The Stanford network has every kind of Macintosh computer, running many different versions of the Operating System, many different applications, and many subtly different variations of the Standard LaserWriter driver.

To minimize the possibility of incompatibility, no changes were made to the standard Macintosh printing mechanism. Instead, a completely separate piece of software -- the "Macintosh Authenticator" -- was written.

What's Wrong with Charge Cards?

Printing Charge Cards are an extremely popular solution and many companies are in business screwing card readers onto the side of laser printers, but this solution simply doesn't scale to anything larger than a single small computer room where the users can verbally agree with each other about whose turn it is to use the printer next.

Consider the following scenario:

Escondido Village, one of the Stanford graduate residences, has about 1800 residents and two computer rooms. About half of the residents have a home computer of some kind connected to the network. All the residents can print to the shared network printers in the computer rooms. Now, say ten students print documents from their own computers, and walk over to the computer room to collect them. What happens now? They all swipe their cards through the reader? Who gets charged for which printout? If you propose that the printer has a little LCD screen on it saying "Bill's printout is next, please swipe card", then what happens if Bill is not there yet? They all have to wait for him? More fundamentally, how does the printer know that it is Bill's print job? If the printer does know already that it is Bill's print job, then what are the cards for?

Conclusion: If you already have a secure reliable way of determining who is responsible for submitting the print job then you can just bill them directly and you don't need charge cards. If you don't know who submitted the print job then having charge cards doesn't solve the problem either.

Components of the Cheshire/Crellin Package

A secure printing system consists of three main components:

1. Authentication
2. Printing
3. Accounting

It is assumed that you have a working network printing service -- software to do this has been available for many years. What the Cheshire/Crellin Macintosh Print Accounting Package adds is the layers that go on either side -- the authentication to find out who is doing the printing before they do it, and the accounting to bill them after they have done so. Each of these layers is independent, and may be used separately.

If you do not wish to bill users individually for printing, but simply wish to limit printing to authorized users, then the accounting part of the package is not needed.

If you already have adequate accounting set up for your Unix users but currently have no way of including Macintosh users in that domain, then likewise our accounting software is not needed.

The components in detail:

• Macintosh Authenticator - This is an Extension (an 'INIT' in old parlance) for the Macintosh. It takes up roughly 24K of disk space and only 8K of System RAM when installed, making it a very small resource footprint compared to alternative print accounting schemes (like installing MachTen on all your computers). It works on all Macintosh Systems from System 6 to System 7.5.1 and has full balloon help.

  When contacted by a network service requiring authentication, such as printing, the Macintosh Authenticator prompts the user for a username and password to verify their identity. The network service can then determine whether access to the requested service is permitted. For example, at Stanford, certain color printers are restricted to authorized users only.

• Network Printing service, modified to request authorization from the Macintosh Authenticator before allowing printing.

  Stanford Residential Education uses the Columbia AppleTalk Package (CAP) LaserWriter server (lwsrv) with a call to the authentication library added at the point of connection establishment. The CAP lwsrv program runs on our NeXT computers, receives print jobs from (properly authenticated) Macintosh users, and prints them on the attached NeXTPrinter.

  The authentication at Stanford is performed using either the user's campus-wide AFS account password, or the standard Unix password file, depending on the preference of the department in question, but the authentication test could easily be made to use any password mechanism to determine whether or not the offered password is correct.

  It is possible to add the authentication call to any software package offering LaserWriter service on the AppleTalk network, providing of course that you have access to the source code in order to make the modification. It is therefore NOT possible to add security to an existing Apple LaserWriter, unless you have the capabilility to modify its ROMs. One popular alternative is to remove the Apple LaserWriter from the network entirely, and make it accessible only via a Unix machine running the CAP lwsrv, which then can be made secure. This also has the other advantage that it obviates the need for background printing on the Macs (ie PrintMonitor), since the Unix machine fulfills this role of rapidly spooling print jobs and then queueing them to be printed in turn.

• Accounting package - Either our print accounting package or an existing system may be used. The authenticating print service establishes the Macintosh user's identity via the Macintosh Authenticator, and from there on the accounting system tracks it exactly as if that user had logged in to the Unix machine and issued a normal print command (eg. "lpr filename").

  The Cheshire/Crellin accounting software is tailored for NeXT computers, but is applicable to any Unix system. Authenticated Macintosh printing is just one source of print jobs which are controlled by this system. Printing by Unix "lpr" command and printing from NeXT applications "Print" command also pass through this same accounting process.

  The authenticated LaserWriter printing service queries the accounting package to check the user's balance, so that the Macintosh user can be informed of the current balance, and notified if the printing is disallowed.

  If the user prints via "lpr" then refusal of printing is notified by e-mail. The user could also be notified by a message written to the user's tty in the manner of the Unix "write" command*.

  If the user prints from a NeXT application then refusal of printing could be notified by a NeXT alert window on the screen*.

  Example Sequence of Events

  How this all works is best illustrated by an example:

  When a user selects "Print" from the "File" menu, the application communicates with the LaserWriter driver, which communicates over the network to the LaserWriter service.

  A CAP lwsrv process handles the print request, first contacting the Macintosh Authenticator, which prompts the user for a username and password. If the user's identity is verified, the process sends the user's balance to the Macintosh Authenticator which displays it on the screen, and printing of the queued print job commences. If the user's identity is not verified, the user is prompted again until they enter a correct username and password, or elect to cancel the print job. Nothing is printed unless (1) the user's identity is verified, (2) the user is authorized to use the printer, and (3) the user has sufficient funds in their printing account, where "sufficient" is determined according to the specific rules for that user and that particular printer.

  Pricing

  Macintosh Authenticator

  Single Location: $1000

  Price includes Macintosh Authenticator Extension, source code showing how to invoke it from the print server, and one year's support.
  This license allows you to use the authentication software on a single print server, which may support as many Macintosh clients and physical printers as you wish.

  Site License: $2000

  Price includes Macintosh Authenticator Extension, source code showing how to invoke it from the print server, and one year's support.
  This license allows you to use the authentication software on any number of print servers at a single site, which may support as many Macintosh clients and physical printers as you wish.

  Site License with Macintosh source code: $10000

  Price includes Macintosh Authenticator Extension, complete source code with detailed comments, source code showing how to invoke it from the print server, and one year's support.
  This license gives you the greatest flexibility in terms of being able to modify and extend the software in-house, but it does not give you the right to sell derivative works. Terms for reselling the software would be subject to negotiation.

  We are also open to offers from companies producing Macintosh print servers (i.e. commercial equivalents of CAP's lwsrv) who might be interested in bundling this functionality with their products.

  Accounting Software

  Pricing for the Accounting Software would follow much the same structure as for the Authenticator Software in terms of price, license and support, but availability is constrained subject to the caveat below.

  Extensions and Improvements to the Software

  The Macintosh Authenticator is a framework with many possibilities, only some of which have been exploited at Stanford. It's basic function is to add authentication to existing Macintosh network services that are currently insecure -- printing being the most obvious example that comes to mind. We are open to suggestions for ways to extend and enhance the software. The basic price for custom modifications is $1000, subject to the amount of work involved. Examples of the kinds of additions that could be made are:

  • A 'login mode' that uses the same username and password for more than a single transaction, suitable for single-user Macs.
  • Direct Kerberos Authentication at the Macintosh instead of passing the username and password to the server for verification (requires a Kerberos driver on the Macintosh and a correctly configured Kerberos realm to be already in set up).
  • Authentication of other currently insecure Macintosh services.
  • Accounting notifications written to the user's tty console.
  • Accounting notifications by NeXT alert windows.

  Known Limitations

  1. Stanford does not use LaserWriter 8 because the CAP lwsrv program does not support it. Consequently we have no experience of running Macintosh Authenticator with LaserWriter 8. We have no reason to believe it shouldn't work, but if LaserWriter 8 support is important for you then you may wish to provide us with a copy of the LaserWriter 8 compatible print spooler that you use in order for us to thoroughly test out the Authenticator in that environment.

  2. Apple plans to introduce an entirely new operating system, codenamed Copland, in the summer of 1996. At present we know nothing of this new operating system except that Apple has stated that it will be a protected operation system and that INITs (Extensions) will not work with it. If this is true then it means that the Macintosh Authenticator will have to be updated to use whatever new mechanisms that Apple provides. At this stage we do not know what those mechanisms will be (and we're not sure whether Apple knows either). However, the success of the Macintosh today depends on all the current System Extensions that Macintosh users rely on for their day-to-day work. We strongly suspect that Apple will realize that if it is to stay in business it will have to support the existing software base, so this may not even be an issue for us.

  3. Macintosh Authenticator does not currently work with the print spooler that Apple supplies with its DOS compatible card. There is no technical reason that it should not, it is simply that the people who wrote that print spooler forgot that the Macintosh is supposed to be a cooperative multi-tasking environment. The print spooler sits, hogging the CPU, waiting for the printer to respond, and doesn't yield any CPU time to other processes on the Macintosh. The printer won't respond until it has got the correct information from the Macintosh Authenticator. The Macintosh Authenticator can't get the user information because the print spooler is hogging the CPU and won't let it run. They teach about this in Operating Systems classes. It is called deadlock. Macintosh Authenticator works with all other known Macintosh software (even Microsoft applications).

  4. Many people ask if our system works with PCs as well as Macs. The simple answer is "No." Writing it for PCs would be many times more work than writing it for the Mac. The Macintosh is essentially a very uniform computer system, and only one version of the authenticator had to be developed to support all Macintosh models and all current versions of the Mac Operating System. All Macintosh computers have networking and network printing built-in. To do the same for PCs would have meant doing versions for DOS, Windows, OS/2, and Windows NT. Then we'd have to support Novel Netware printing, Banyan Vines printing, IBM LAN Server printing, Microsoft LAN Manager printing, Unix-style lpr printing etc. Then we'd have to write an authenticator that worked over IPX, one that worked over Netbios, one that worked over IBM LLC, and one that worked on each of the different PC TCP/IP stacks. When people ask if our system works with PCs what they really mean is, "Does your system work with our particular PC setup?" They often don't appreciate that their setup is just one of the thousands of different ways PC networking can be set up, and we don't have the knowhow or the time to support them all. For these people, buying the source code license and modifying the authenticator to work in their PC environment may be the best answer.

  Caveat

  The authors of this print accounting package are both foreign citizens living in the United States. As of 11th July 1995, Stuart has employment authorization from the INS (United States Immigration and Naturalization Service) which means that he is now allowed to sell the Macintosh User Authentication software, but Neil Crellin is at Stanford on an F-1 student visa, and under US law it is currently illegal for him to engage in any business while in the US, paid or unpaid (except for certain very restricted forms of approved on-campus research or teaching work).

  This means that the Macintosh Authenticator is now available, but we do not expect to be able to legally sell the accounting software for some time.

  We apologise for any inconvenience, but it is completely out of our control. We don't get any say in this -- we don't get to vote -- so there's nothing we can do about it. Please believe that we find it just as inconvenient as you do.

  Contacts

  If you have further questions about the Macintosh Print Accounting Package, please contact either:
  Stuart Cheshire <cheshire@cs.stanford.edu> (author of the Macintosh Authenticator) or
  Neil Crellin <neilc@wallaby.stanford.edu> (author of the Accounting Software).

  Finally, please remember that we are both Ph.D. students working to complete our degrees. If the software we have written can be useful to you then we are pleased to do what we can to make that possible, but our first priority must remain concentrating on completing our degrees, which limits the amount of time we have to spend on sidelines like this. If there were other commercial alternatives available then we would be quite happy to bow out of the competition, but thus far our software remains unique, so we feel compelled to do what we can to make it available to other organizations that can benefit from it.

  We thank you for your consideration.

  ---

  cheshire@cs.stanford.edu