The Cheshire/Crellin
Macintosh Print Accounting Package

User Authentication Dialog Box

The Cheshire/Crellin Macintosh Print Accounting Package was designed as a low-cost solution to meet the needs of the Stanford University Residential Computing Program, and has also been widely installed throughout other Stanford University departments.

The Cheshire/Crellin Macintosh Print Accounting Package was developed in an environment of hundreds of printers accessible from thousands of insecure Macintosh computers both in public computer rooms and in students' own apartments networked with LocalTalk and/or Ethernet.

The security system therefore had to be:

1. Fool-Proof (Stanford has its share of novice computer users),
2. Fail-Safe (Stanford is well endowed with hackers) and
3. Versatile (to cope with the variety of hardware and software in use).

1. Fool-Proof

There is no log-in procedure as there is with most security systems, since these systems always suffer from the user who forgets to log out, and then after the account is abused, refuses to pay the printing bill.

Instead, the user is presented with an authentication dialog every time a document is printed. The previous username is remembered, so for repeated printing, only the password has to be re-entered.

For single-user Macs which are not in public use a 'login mode' is planned where the password is only entered for the first print job, and is reused for subsequent printing until the Mac is shut down. There has been no demand for this at Stanford, so it has not been implemented yet. It appears that users do not find that entering a password is as much of an inconvenience as we might think. This capability is offered as an optional addition to the package*.

2. Fail-Safe

Like all Macintosh print accounting accounting solutions, the Cheshire/Crellin package requires special software to be loaded onto the Macintosh Computers. Unlike most other systems where removing the special software allows students to print for free, with our package removing the special software causes the print server to reject any attempted print jobs from that Mac.

This is essential because Macintosh computers are cheap, portable, and insecure. It is in general not possible to prevent users from modifying the System Folder, booting the Mac off their own floppy disk, or even attaching their own Macintosh PowerBook computer to the network in an attempt to obtain free printing. Even when they have complete control over the computer they are using and its System Software, it must still be impossible for users to bypass the authentication system.

3. Versatile

The system has to support different kinds of printers, with different charging rates, and has the facility to specify individually for each printer which users are authorized to use it. It also allows certain user accounts and/or certain printers to require pre-payment, while others can print first and pay later, up to some chosen credit limit. Some departments to do not charge at all, but simply use the system to restrict printer access to department members only.

Even when no charging is being done, wastage reduces dramatically. The simple fact that all printing is accountable makes people much more careful not to accidentally print program listings on the $1 per-page color printer.

The system is carefully designed not to interfere with the Macintosh printing process. The Stanford network has every kind of Macintosh computer, running many different versions of the Operating System, many different applications, and many subtly different variations of Apple's "standard" LaserWriter driver.

To minimize the possibility of incompatibility, no changes were made to the standard Macintosh printing mechanism. Instead, a completely separate piece of software -- the "Macintosh Authenticator" -- was written.

What's Wrong with Charge Cards?

Printing Charge Cards are an extremely popular solution and many companies are in business screwing card readers onto the side of laser printers, but this solution simply doesn't scale to anything larger than a single small computer room where the users can verbally agree with each other about whose turn it is to use the printer next.

Consider the following scenario:

Escondido Village, one of the Stanford graduate residences, has about 1800 residents and two computer rooms. About half of the residents have a home computer of some kind connected to the network. All the residents can print to the shared network printers in the computer rooms. Now, say ten students print documents from their own computers, and walk over to the computer room to collect them. What happens now? They all swipe their cards through the reader? Who gets charged for which printout? If you propose that the printer has a little LCD screen on it saying "Bill's printout is next, please swipe card", then what happens if Bill is not there yet? They all have to wait for him? More fundamentally, how does the printer know that it is Bill's print job? If the printer does know already that it is Bill's print job, then what are the cards for?

Conclusion: If you already have a secure reliable way of determining who is responsible for submitting the print job then you can just bill them directly and you don't need charge cards. If you don't know who submitted the print job then having charge cards doesn't solve the problem either.

Components of the Cheshire/Crellin Package

A secure printing system consists of three main components:

1. Authentication
2. Printing
3. Accounting

It is assumed that you have a working network printing service -- software to do this has been available for many years. What the Cheshire/Crellin Macintosh Print Accounting Package adds is the layers that go on either side -- the authentication to find out who is doing the printing before they do it, and the accounting to bill them after they have done so. Each of these layers is independent, and may be used separately.

If you do not wish to bill users individually for printing, but simply wish to limit printing to authorized users, then the accounting part of the package is not needed.

Likewise, if you already have adequate accounting set up for your Unix users but currently have no way of including Macintosh users in that domain, then our accounting software is not needed. One example of a very good system that uses the Macintosh Authenticator with a different accounting back end is SAPS developed by Steve Andrewartha at the University of Tasmania.

Our components in detail:

• Macintosh Authenticator - This is an Extension (an 'INIT' in old parlance) for the Macintosh. It takes up roughly 24K of disk space and only 8K of System RAM when installed, making it a very small resource footprint compared to alternative print accounting schemes (like installing MachTen on all your computers). It works on all Macintosh Systems from System 6 to System 7.5.x and has full balloon help.

  When contacted by a network service requiring authentication, such as printing, the Macintosh Authenticator prompts the user for a username and password to verify their identity. The network service can then determine whether access to the requested service is permitted. For example, at Stanford, certain color printers are restricted to authorized users only.

• Network Printing service, modified to request authorization from the Macintosh Authenticator before allowing printing.

  Stanford Residential Education uses the Columbia AppleTalk Package LaserWriter server (CAP lwsrv) with a call to the authentication library added at the point of connection establishment. The CAP lwsrv program runs on our NeXT computers, receives print jobs from (properly authenticated) Macintosh users, and prints them on the attached NeXTPrinter.

  The authentication at Stanford is performed using either the user's campus-wide AFS account password, or the standard Unix password file, depending on the preference of the department in question, but the authentication test could easily be made to use any password mechanism to determine whether or not the offered password is correct.

  It is possible to add the authentication call to any software package offering LaserWriter service on the AppleTalk network, providing of course that you have access to the source code in order to make the modification. It is therefore NOT possible to add security to an existing Apple LaserWriter, unless you have the capabilility to modify its ROMs. One popular alternative is to remove the Apple LaserWriter from the network entirely, and make it accessible only via a Unix machine running the CAP lwsrv, which then can be made secure. This also has the other advantage that it obviates the need for background printing on the Macs (ie PrintMonitor), since the Unix machine fulfills this role of rapidly spooling print jobs and then queueing them to be printed in turn.

• Accounting package - Either our print accounting package or an existing system may be used. The authenticating print service establishes the Macintosh user's identity via the Macintosh Authenticator, and from there on the accounting system tracks it exactly as if that user had logged in to the Unix machine and issued a normal print command (eg. "lpr filename").

  The Cheshire/Crellin accounting software is tailored for NeXT computers, but it has been ported to SunOS and could easily be used on most Unix systems. Authenticated Macintosh printing is just one source of print jobs which are controlled by this system. Printing by Unix "lpr" command and printing from NeXT applications "Print" command also pass through this same accounting process.

  The authenticated LaserWriter printing service queries the accounting package to check the user's balance, so that the Macintosh user can be informed of the current balance, and notified if the printing is disallowed.

  If the user prints via "lpr" then refusal of printing is notified by e-mail. The user could also be notified by a message written to the user's tty in the manner of the Unix "write" command*.

  If the user prints from a NeXT application then refusal of printing could be notified by a NeXT alert window on the screen*.

Example Sequence of Events

How this all works is best illustrated by an example:

When a user selects "Print" from the "File" menu, the application communicates with the LaserWriter driver, which communicates over the network to the LaserWriter service.

A CAP lwsrv process handles the print request, first contacting the Macintosh Authenticator, which prompts the user for a username and password. If the user's identity is verified, the process sends the user's balance to the Macintosh Authenticator which displays it on the screen, and printing of the queued print job commences. If the user's identity is not verified, the user is prompted again until they enter a correct username and password, or elect to cancel the print job. Nothing is printed unless (1) the user's identity is verified, (2) the user is authorized to use the printer, and (3) the user has sufficient funds in their printing account, where "sufficient" is determined according to the specific rules for that user and that particular printer.

Pricing

Macintosh Authenticator

Single Location: $1000

Price includes Macintosh Authenticator Extension, source code showing how to invoke it from the print server, and one year's support.
This license allows you to use the authentication software on a single print server, which may support as many Macintosh clients and physical printers as you wish.

Site License: $2000

Price includes Macintosh Authenticator Extension, source code showing how to invoke it from the print server, and one year's support.
This license allows you to use the authentication software on any number of print servers at a single site, which may support as many Macintosh clients and physical printers as you wish.

Site License with Macintosh source code: $10000

Price includes Macintosh Authenticator Extension, complete source code with detailed comments, source code showing how to invoke it from the print server, and one year's support.
This license gives you the greatest flexibility in terms of being able to modify and extend the software in-house, but it does not give you the right to sell derivative works. Terms for reselling the software would be subject to negotiation.

The Macintosh Authenticator is available for evaluation on a 30-day trial basis at no charge. In order to evaluate how well the Macintosh Authenticator meets your needs you may install it on your system and use it for up to thirty days after the date the software is sent to you, at no obligation. After that date, you should stop using the software and delete it, or purchase it. If you wish to obtain an evaluation copy under these terms, please contact Stuart Cheshire.

There are no "educational discounts". So far all of our customers have been educational institutions, so offering a discount would be effectively the same as just reducing our prices, which we consider to be low already. We could double all the prices above and then offer a 50% educational discount, but such subterfuge would be unneccessarily complicated.

We are also open to offers from companies producing Macintosh print servers (i.e. commercial equivalents of CAP's lwsrv) who might be interested in bundling this functionality with their products.

Accounting Software

Complete source code: $10000

This price includes complete Unix source code for accounting software that accounts for "lpr" (and hence lwsrv) originated print jobs on a Unix system, and one year's support.
This license gives you flexibility in terms of being able to modify and extend the software in-house, but it does not give you the right to sell derivative works. Terms for reselling the software would be subject to negotiation.

Accounting tends to be very site-specific. Each site has its own type of user list and user policies. Some sites use Kerberos for their user-lists, some sites use Unix password files, and some sites operate using some other, completely different kind of list of users. Some sites require users to pay in advance for printing, and some sites allow users to print in arrears and bill them monthly. Some sites require students to pay in advance but allow faculty to operate on a monthly billing schedule. Because of these kinds of widely varying requirements, different sites will always have different local customization needs. Please contact Neil Crellin if you would like further information regarding the accounting software.

Extensions and Improvements to the Software

The Macintosh Authenticator is a framework with many possibilities, only some of which have been exploited at Stanford. It's basic function is to add authentication to existing Macintosh network services that are currently insecure -- printing being the most obvious example that comes to mind. We are open to suggestions for ways to extend and enhance the software. The basic price for custom modifications is $1000, subject to the amount of work involved. Examples of the kinds of additions that could be made are:

Macintosh Authenticator

• A 'login mode' that uses the same username and password for more than a single transaction, suitable for single-user Macs.
• Direct Kerberos Authentication at the Macintosh instead of passing the username and password to the server for verification (requires a Kerberos driver on the Macintosh and a correctly configured Kerberos realm to be already in set up).
• Authentication of other currently insecure Macintosh services. One example of a 'printer-like' service that could benefit from user authentication is network fax modem service. It is convenient for users to be able to 'print' to the fax modem across the network, but someone has to be responsible for paying the telephone bill. The Macintosh Authenticator could help solve this problem.

Accounting System

• Accounting notifications written to the user's tty console when users are printing on a Unix host.
• Accounting notifications by NeXT alert windows when users are printing on a NeXT host.

Known Limitations

1. Macintosh Authenticator does not currently work with the print spooler that Apple supplies with its DOS compatible card. There is no technical reason that it should not, it is simply that the people who wrote that print spooler forgot that the Macintosh is supposed to be a cooperative multi-tasking environment. The print spooler sits, hogging the CPU, waiting for the printer to respond, and doesn't yield any CPU time to other processes on the Macintosh. The printer won't respond until it has got the correct information from the Macintosh Authenticator. The Macintosh Authenticator can't get the user information because the print spooler is hogging the CPU and won't let it run. They teach about this in Operating Systems classes. It is called deadlock. Macintosh Authenticator works with all other known Macintosh software (even Microsoft applications). We have been told unofficially that Apple plans to fix this bug.

2. Many people ask if our system works with PCs as well as Macs. The simple answer is "No." Writing it for PCs would be many times more work than writing it for the Mac. The Macintosh is essentially a very uniform computer system, and only one version of the Authenticator had to be developed to support all Macintosh models and all versions of the Mac Operating System. All Macintosh computers have networking, network printing and a graphical user interface built-in. To provide the same breadth of service for PCs would have meant doing versions for DOS, Windows, OS/2, Windows NT and Windows 95. Then we'd have to support Novel Netware printing, Banyan Vines printing, IBM LAN Server printing, Microsoft LAN Manager printing, Unix-style lpr printing etc. Then we'd have to write an Authenticator that worked over IPX, one that worked over Netbios, one that worked over IBM LLC, and one that worked on each of the different PC TCP/IP stacks. When people ask if our system works with PCs what they really mean is, "Does your system work with our particular PC setup?" They often don't appreciate that their setup is just one of the thousands of different ways PC networking can be set up, and we don't have the knowhow or the time to support them all. For these people, buying the source code license and modifying the Authenticator to work in their particular PC environment may be the best answer.

Alternatives

We are aware of one alternative system called Jake that is in use at Columbia University. At Columbia students are not charged money for printing unless they exceed 100 pages per week. Columbia's problem was not identifying users, but having lots of wastage -- pages that were printed but never collected. In the Jake system, all print jobs go first into a shared "holding area". No paper is printed until you physically show up at the printer in question, select your print job from the list of jobs in the shared holding area, and enter your username and password. This eliminated the problem of unclaimed printouts, with only the slight disadvantage of a small loss in confidentiality -- any user can see the titles of (and/or print) all the jobs waiting in the queue. However if the pages were printed directly to the printer as in our system, there is nothing to someone hunting through the pile of printout looking for interesting documents, so having the titles presented in a list on the screen probably doesn't make a great difference in real terms.

Contacts

Please note that since completing our PhDs and graduating from Stanford, we both have less time to devote to this. This page is maintained mostly as a historical record. However the Macintosh Authenticator software continues to work without any problems, even on Mac OS 9, so if you have a need for this kind of software we may still be able to help you. Stuart now works for Apple, and Neil works for Cadabra. Guessing our new email addresses is left as an exercise for the reader :-)