User Authentication Dialog Box
The Cheshire/Crellin Macintosh Print Accounting Package was designed as a low-cost solution to meet the needs of the Stanford University Residential Computing Program, and has also been widely installed throughout other Stanford University departments.
The Cheshire/Crellin Macintosh Print Accounting Package was developed in an environment of hundreds of printers accessible from thousands of insecure Macintosh computers both in public computer rooms and in students' own apartments networked with LocalTalk and/or Ethernet.
The security system therefore had to be:
There is no log-in procedure as there is with most security systems, since these systems always suffer from the user who forgets to log out, and then after the account is abused, refuses to pay the printing bill.
Instead, the user is presented with an authentication dialog every time a document is printed. The previous username is remembered, so for repeated printing, only the password has to be re-entered.
For single-user Macs which are not in public use a 'login mode' is planned where the password is only entered for the first print job, and is reused for subsequent printing until the Mac is shut down. There has been no demand for this at Stanford, so it has not been implemented yet. It appears that users do not find that entering a password is as much of an inconvenience as we might think. This capability is offered as an optional addition to the package*.
Like all Macintosh print accounting accounting solutions, the Cheshire/Crellin package requires special software to be loaded onto the Macintosh Computers. Unlike most other systems where removing the special software allows students to print for free, with our package removing the special software causes the print server to reject any attempted print jobs from that Mac.
This is essential because Macintosh computers are cheap, portable, and insecure. It is in general not possible to prevent users from modifying the System Folder, booting the Mac off their own floppy disk, or even attaching their own Macintosh PowerBook computer to the network in an attempt to obtain free printing. Even when they have complete control over the computer they are using and its System Software, it must still be impossible for users to bypass the authentication system.
The system has to support different kinds of printers, with different charging rates, and has the facility to specify individually for each printer which users are authorized to use it. It also allows certain user accounts and/or certain printers to require pre-payment, while others can print first and pay later, up to some chosen credit limit. Some departments to do not charge at all, but simply use the system to restrict printer access to department members only.
Even when no charging is being done, wastage reduces dramatically. The simple fact that all printing is accountable makes people much more careful not to accidentally print program listings on the $1 per-page color printer.
The system is carefully designed not to interfere with the Macintosh printing process. The Stanford network has every kind of Macintosh computer, running many different versions of the Operating System, many different applications, and many subtly different variations of Apple's "standard" LaserWriter driver.
To minimize the possibility of incompatibility, no changes were made to the standard Macintosh printing mechanism. Instead, a completely separate piece of software -- the "Macintosh Authenticator" -- was written.
Printing Charge Cards are an extremely popular solution and many companies are in business screwing card readers onto the side of laser printers, but this solution simply doesn't scale to anything larger than a single small computer room where the users can verbally agree with each other about whose turn it is to use the printer next.
Consider the following scenario:
Escondido Village, one of the Stanford graduate residences, has about 1800 residents and two computer rooms. About half of the residents have a home computer of some kind connected to the network. All the residents can print to the shared network printers in the computer rooms. Now, say ten students print documents from their own computers, and walk over to the computer room to collect them. What happens now? They all swipe their cards through the reader? Who gets charged for which printout? If you propose that the printer has a little LCD screen on it saying "Bill's printout is next, please swipe card", then what happens if Bill is not there yet? They all have to wait for him? More fundamentally, how does the printer know that it is Bill's print job? If the printer does know already that it is Bill's print job, then what are the cards for?
Conclusion: If you already have a secure reliable way of determining who is responsible for submitting the print job then you can just bill them directly and you don't need charge cards. If you don't know who submitted the print job then having charge cards doesn't solve the problem either.
A secure printing system consists of three main components:
It is assumed that you have a working network printing service -- software to do this has been available for many years. What the Cheshire/Crellin Macintosh Print Accounting Package adds is the layers that go on either side -- the authentication to find out who is doing the printing before they do it, and the accounting to bill them after they have done so. Each of these layers is independent, and may be used separately.
If you do not wish to bill users individually for printing, but simply wish to limit printing to authorized users, then the accounting part of the package is not needed.
Likewise, if you already have adequate accounting set up for your Unix users but currently have no way of including Macintosh users in that domain, then our accounting software is not needed. One example of a very good system that uses the Macintosh Authenticator with a different accounting back end is SAPS developed by Steve Andrewartha at the University of Tasmania.
When contacted by a network service requiring authentication, such as printing, the Macintosh Authenticator prompts the user for a username and password to verify their identity. The network service can then determine whether access to the requested service is permitted. For example, at Stanford, certain color printers are restricted to authorized users only.
Stanford Residential Education uses the Columbia AppleTalk Package LaserWriter server (CAP lwsrv) with a call to the authentication library added at the point of connection establishment. The CAP lwsrv program runs on our NeXT computers, receives print jobs from (properly authenticated) Macintosh users, and prints them on the attached NeXTPrinter.
The authentication at Stanford is performed using either the user's campus-wide AFS account password, or the standard Unix password file, depending on the preference of the department in question, but the authentication test could easily be made to use any password mechanism to determine whether or not the offered password is correct.
It is possible to add the authentication call to any software package offering LaserWriter service on the AppleTalk network, providing of course that you have access to the source code in order to make the modification. It is therefore NOT possible to add security to an existing Apple LaserWriter, unless you have the capabilility to modify its ROMs. One popular alternative is to remove the Apple LaserWriter from the network entirely, and make it accessible only via a Unix machine running the CAP lwsrv, which then can be made secure. This also has the other advantage that it obviates the need for background printing on the Macs (ie PrintMonitor), since the Unix machine fulfills this role of rapidly spooling print jobs and then queueing them to be printed in turn.
The Cheshire/Crellin accounting software is tailored for NeXT computers, but it has been ported to SunOS and could easily be used on most Unix systems. Authenticated Macintosh printing is just one source of print jobs which are controlled by this system. Printing by Unix "lpr" command and printing from NeXT applications "Print" command also pass through this same accounting process.
The authenticated LaserWriter printing service queries the accounting package to check the user's balance, so that the Macintosh user can be informed of the current balance, and notified if the printing is disallowed.
If the user prints via "lpr" then refusal of printing is notified by e-mail. The user could also be notified by a message written to the user's tty in the manner of the Unix "write" command*.
If the user prints from a NeXT application then refusal of printing could be notified by a NeXT alert window on the screen*.
How this all works is best illustrated by an example:
When a user selects "Print" from the "File" menu, the application communicates with the LaserWriter driver, which communicates over the network to the LaserWriter service.
A CAP lwsrv process handles the print request, first contacting the Macintosh Authenticator, which prompts the user for a username and password. If the user's identity is verified, the process sends the user's balance to the Macintosh Authenticator which displays it on the screen, and printing of the queued print job commences. If the user's identity is not verified, the user is prompted again until they enter a correct username and password, or elect to cancel the print job. Nothing is printed unless (1) the user's identity is verified, (2) the user is authorized to use the printer, and (3) the user has sufficient funds in their printing account, where "sufficient" is determined according to the specific rules for that user and that particular printer.
The Macintosh Authenticator is available for evaluation on a 30-day trial basis at no charge. In order to evaluate how well the Macintosh Authenticator meets your needs you may install it on your system and use it for up to thirty days after the date the software is sent to you, at no obligation. After that date, you should stop using the software and delete it, or purchase it. If you wish to obtain an evaluation copy under these terms, please contact Stuart Cheshire.
There are no "educational discounts". So far all of our customers have been educational institutions, so offering a discount would be effectively the same as just reducing our prices, which we consider to be low already. We could double all the prices above and then offer a 50% educational discount, but such subterfuge would be unneccessarily complicated.
We are also open to offers from companies producing Macintosh print servers (i.e. commercial equivalents of CAP's lwsrv) who might be interested in bundling this functionality with their products.
Accounting tends to be very site-specific. Each site has its own type of user list and user policies. Some sites use Kerberos for their user-lists, some sites use Unix password files, and some sites operate using some other, completely different kind of list of users. Some sites require users to pay in advance for printing, and some sites allow users to print in arrears and bill them monthly. Some sites require students to pay in advance but allow faculty to operate on a monthly billing schedule. Because of these kinds of widely varying requirements, different sites will always have different local customization needs. Please contact Neil Crellin if you would like further information regarding the accounting software.
The Macintosh Authenticator is a framework with many possibilities, only some of which have been exploited at Stanford. It's basic function is to add authentication to existing Macintosh network services that are currently insecure -- printing being the most obvious example that comes to mind. We are open to suggestions for ways to extend and enhance the software. The basic price for custom modifications is $1000, subject to the amount of work involved. Examples of the kinds of additions that could be made are:
We are aware of one alternative system called Jake that is in use at Columbia University. At Columbia students are not charged money for printing unless they exceed 100 pages per week. Columbia's problem was not identifying users, but having lots of wastage -- pages that were printed but never collected. In the Jake system, all print jobs go first into a shared "holding area". No paper is printed until you physically show up at the printer in question, select your print job from the list of jobs in the shared holding area, and enter your username and password. This eliminated the problem of unclaimed printouts, with only the slight disadvantage of a small loss in confidentiality -- any user can see the titles of (and/or print) all the jobs waiting in the queue. However if the pages were printed directly to the printer as in our system, there is nothing to someone hunting through the pile of printout looking for interesting documents, so having the titles presented in a list on the screen probably doesn't make a great difference in real terms.
Please note that since completing our PhDs and graduating from Stanford, we both have less time to devote to this. This page is maintained mostly as a historical record. However the Macintosh Authenticator software continues to work without any problems, even on Mac OS 9, so if you have a need for this kind of software we may still be able to help you. Stuart now works for Apple, and Neil works for Cadabra. Guessing our new email addresses is left as an exercise for the reader :-)