The Cheshire/Crellin
Macintosh Print Accounting Package

Disclaimer: The following description of the Macintosh Print Accounting Package used by Stanford Residential Computing was written by the authors, Stuart Cheshire and Neil Crellin. Any views or opinions expressed herein do not necessarily represent those of Stanford Residential Computing.

User Authentication Dialog Box

The Cheshire/Crellin Macintosh Print Accounting Package was designed as a low-cost solution to meet the needs of the Stanford University Residential Computing Program, and has also been widely installed throughout other Stanford University departments.

The Cheshire/Crellin Macintosh Print Accounting Package was developed in an environment of hundreds of printers accessible from thousands of insecure Macintosh computers both in public computer rooms and in students' own apartments networked with LocalTalk and/or Ethernet.

The security system therefore had to be:

  1. Fool-Proof (Stanford has its share of novice computer users),
  2. Fail-Safe (Stanford is well endowed with hackers) and
  3. Versatile (to cope with the variety of hardware and software in use).

1. Fool-Proof

There is no log-in procedure as there is with most security systems, since these systems always suffer from the user who forgets to log out, and then after the account is abused, refuses to pay the printing bill.

Instead, the user is presented with an authentication dialog every time a document is printed. The previous username is remembered, so for repeated printing, only the password has to be re-entered.

For single-user Macs which are not in public use a 'login mode' is planned where the password is only entered for the first print job, and is reused for subsequent printing until the Mac is shut down. There has been no demand for this at Stanford, so it has not been implemented yet. It appears that users do not find that entering a password is as much of an inconvenience as we might think. This capability is offered as an optional addition to the package*.

2. Fail-Safe

Like all Macintosh print accounting accounting solutions, the Cheshire/Crellin package requires special software to be loaded onto the Macintosh Computers. Unlike most other systems where removing the special software allows students to print for free, with our package removing the special software causes the print server to reject any attempted print jobs from that Mac.

This is essential because Macintosh computers are cheap, portable, and insecure. It is in general not possible to prevent users from modifying the System Folder, booting the Mac off their own floppy disk, or even attaching their own Macintosh PowerBook computer to the network in an attempt to obtain free printing. Even when they have complete control over the computer they are using and its System Software, it must still be impossible for users to bypass the authentication system.

3. Versatile

The system has to support different kinds of printers, with different charging rates, and has the facility to specify individually for each printer which users are authorized to use it. It also allows certain user accounts and/or certain printers to require pre-payment, while others can print first and pay later, up to some chosen credit limit. Some departments to do not charge at all, but simply use the system to restrict printer access to department members only.

Even when no charging is being done, wastage reduces dramatically. The simple fact that all printing is accountable makes people much more careful not to accidentally print program listings on the $1 per-page color printer.

The system is carefully designed not to interfere with the Macintosh printing process. The Stanford network has every kind of Macintosh computer, running many different versions of the Operating System, many different applications, and many subtly different variations of Apple's "standard" LaserWriter driver.

To minimize the possibility of incompatibility, no changes were made to the standard Macintosh printing mechanism. Instead, a completely separate piece of software -- the "Macintosh Authenticator" -- was written.

What's Wrong with Charge Cards?

Printing Charge Cards are an extremely popular solution and many companies are in business screwing card readers onto the side of laser printers, but this solution simply doesn't scale to anything larger than a single small computer room where the users can verbally agree with each other about whose turn it is to use the printer next.

Consider the following scenario:

Escondido Village, one of the Stanford graduate residences, has about 1800 residents and two computer rooms. About half of the residents have a home computer of some kind connected to the network. All the residents can print to the shared network printers in the computer rooms. Now, say ten students print documents from their own computers, and walk over to the computer room to collect them. What happens now? They all swipe their cards through the reader? Who gets charged for which printout? If you propose that the printer has a little LCD screen on it saying "Bill's printout is next, please swipe card", then what happens if Bill is not there yet? They all have to wait for him? More fundamentally, how does the printer know that it is Bill's print job? If the printer does know already that it is Bill's print job, then what are the cards for?

Conclusion: If you already have a secure reliable way of determining who is responsible for submitting the print job then you can just bill them directly and you don't need charge cards. If you don't know who submitted the print job then having charge cards doesn't solve the problem either.

Components of the Cheshire/Crellin Package

A secure printing system consists of three main components:

  1. Authentication
  2. Printing
  3. Accounting

It is assumed that you have a working network printing service -- software to do this has been available for many years. What the Cheshire/Crellin Macintosh Print Accounting Package adds is the layers that go on either side -- the authentication to find out who is doing the printing before they do it, and the accounting to bill them after they have done so. Each of these layers is independent, and may be used separately.

If you do not wish to bill users individually for printing, but simply wish to limit printing to authorized users, then the accounting part of the package is not needed.

Likewise, if you already have adequate accounting set up for your Unix users but currently have no way of including Macintosh users in that domain, then our accounting software is not needed. One example of a very good system that uses the Macintosh Authenticator with a different accounting back end is SAPS developed by Steve Andrewartha at the University of Tasmania.

Our components in detail:

Example Sequence of Events

How this all works is best illustrated by an example:

When a user selects "Print" from the "File" menu, the application communicates with the LaserWriter driver, which communicates over the network to the LaserWriter service.

A CAP lwsrv process handles the print request, first contacting the Macintosh Authenticator, which prompts the user for a username and password. If the user's identity is verified, the process sends the user's balance to the Macintosh Authenticator which displays it on the screen, and printing of the queued print job commences. If the user's identity is not verified, the user is prompted again until they enter a correct username and password, or elect to cancel the print job. Nothing is printed unless (1) the user's identity is verified, (2) the user is authorized to use the printer, and (3) the user has sufficient funds in their printing account, where "sufficient" is determined according to the specific rules for that user and that particular printer.


Macintosh Authenticator

Single Location: $1000
Price includes Macintosh Authenticator Extension, source code showing how to invoke it from the print server, and one year's support.
This license allows you to use the authentication software on a single print server, which may support as many Macintosh clients and physical printers as you wish.

Site License: $2000
Price includes Macintosh Authenticator Extension, source code showing how to invoke it from the print server, and one year's support.
This license allows you to use the authentication software on any number of print servers at a single site, which may support as many Macintosh clients and physical printers as you wish.

Site License with Macintosh source code: $10000
Price includes Macintosh Authenticator Extension, complete source code with detailed comments, source code showing how to invoke it from the print server, and one year's support.
This license gives you the greatest flexibility in terms of being able to modify and extend the software in-house, but it does not give you the right to sell derivative works. Terms for reselling the software would be subject to negotiation.

The Macintosh Authenticator is available for evaluation on a 30-day trial basis at no charge. In order to evaluate how well the Macintosh Authenticator meets your needs you may install it on your system and use it for up to thirty days after the date the software is sent to you, at no obligation. After that date, you should stop using the software and delete it, or purchase it. If you wish to obtain an evaluation copy under these terms, please contact Stuart Cheshire.

There are no "educational discounts". So far all of our customers have been educational institutions, so offering a discount would be effectively the same as just reducing our prices, which we consider to be low already. We could double all the prices above and then offer a 50% educational discount, but such subterfuge would be unneccessarily complicated.

We are also open to offers from companies producing Macintosh print servers (i.e. commercial equivalents of CAP's lwsrv) who might be interested in bundling this functionality with their products.

Accounting Software

Complete source code: $10000
This price includes complete Unix source code for accounting software that accounts for "lpr" (and hence lwsrv) originated print jobs on a Unix system, and one year's support.
This license gives you flexibility in terms of being able to modify and extend the software in-house, but it does not give you the right to sell derivative works. Terms for reselling the software would be subject to negotiation.

Accounting tends to be very site-specific. Each site has its own type of user list and user policies. Some sites use Kerberos for their user-lists, some sites use Unix password files, and some sites operate using some other, completely different kind of list of users. Some sites require users to pay in advance for printing, and some sites allow users to print in arrears and bill them monthly. Some sites require students to pay in advance but allow faculty to operate on a monthly billing schedule. Because of these kinds of widely varying requirements, different sites will always have different local customization needs. Please contact Neil Crellin if you would like further information regarding the accounting software.

Extensions and Improvements to the Software

The Macintosh Authenticator is a framework with many possibilities, only some of which have been exploited at Stanford. It's basic function is to add authentication to existing Macintosh network services that are currently insecure -- printing being the most obvious example that comes to mind. We are open to suggestions for ways to extend and enhance the software. The basic price for custom modifications is $1000, subject to the amount of work involved. Examples of the kinds of additions that could be made are:

Macintosh Authenticator

Accounting System

Known Limitations

  1. Macintosh Authenticator does not currently work with the print spooler that Apple supplies with its DOS compatible card. There is no technical reason that it should not, it is simply that the people who wrote that print spooler forgot that the Macintosh is supposed to be a cooperative multi-tasking environment. The print spooler sits, hogging the CPU, waiting for the printer to respond, and doesn't yield any CPU time to other processes on the Macintosh. The printer won't respond until it has got the correct information from the Macintosh Authenticator. The Macintosh Authenticator can't get the user information because the print spooler is hogging the CPU and won't let it run. They teach about this in Operating Systems classes. It is called deadlock. Macintosh Authenticator works with all other known Macintosh software (even Microsoft applications). We have been told unofficially that Apple plans to fix this bug.

  2. Many people ask if our system works with PCs as well as Macs. The simple answer is "No." Writing it for PCs would be many times more work than writing it for the Mac. The Macintosh is essentially a very uniform computer system, and only one version of the Authenticator had to be developed to support all Macintosh models and all versions of the Mac Operating System. All Macintosh computers have networking, network printing and a graphical user interface built-in. To provide the same breadth of service for PCs would have meant doing versions for DOS, Windows, OS/2, Windows NT and Windows 95. Then we'd have to support Novel Netware printing, Banyan Vines printing, IBM LAN Server printing, Microsoft LAN Manager printing, Unix-style lpr printing etc. Then we'd have to write an Authenticator that worked over IPX, one that worked over Netbios, one that worked over IBM LLC, and one that worked on each of the different PC TCP/IP stacks. When people ask if our system works with PCs what they really mean is, "Does your system work with our particular PC setup?" They often don't appreciate that their setup is just one of the thousands of different ways PC networking can be set up, and we don't have the knowhow or the time to support them all. For these people, buying the source code license and modifying the Authenticator to work in their particular PC environment may be the best answer.


We are aware of one alternative system called Jake that is in use at Columbia University. At Columbia students are not charged money for printing unless they exceed 100 pages per week. Columbia's problem was not identifying users, but having lots of wastage -- pages that were printed but never collected. In the Jake system, all print jobs go first into a shared "holding area". No paper is printed until you physically show up at the printer in question, select your print job from the list of jobs in the shared holding area, and enter your username and password. This eliminated the problem of unclaimed printouts, with only the slight disadvantage of a small loss in confidentiality -- any user can see the titles of (and/or print) all the jobs waiting in the queue. However if the pages were printed directly to the printer as in our system, there is nothing to someone hunting through the pile of printout looking for interesting documents, so having the titles presented in a list on the screen probably doesn't make a great difference in real terms.


If you have further questions about the Macintosh Print Accounting Package, please contact either:
Stuart Cheshire (author of the Macintosh Authenticator) or
Neil Crellin (author of the Accounting Software).

Please note that since completing our PhDs and graduating from Stanford, we both have less time to devote to this. This page is maintained mostly as a historical record. However the Macintosh Authenticator software continues to work without any problems, even on Mac OS 9, so if you have a need for this kind of software we may still be able to help you. Stuart now works for Apple, and Neil works for Cadabra. Guessing our new email addresses is left as an exercise for the reader :-)