roy@phri.UUCP (Roy Smith) (05/30/89)
A friend of mine wants to have people on a public Mac be able to print
to a LaserWriter and have their printer usage accounted for. I think I've
worked out a neat way to do this and wanted to see what other people thought.
The basic setup will be an Ultrix vax with the LW attached to a 9600
baud serial line. A Kinetics KFPS-4 will bridge to an AppleTalk net with some
Macintoshes on it. All the Macs (probably Mac-II's with 2-4 Mbytes) will run
multifinder. The vax will be running a modified version of lwsrv and the
Macs will have staticly assigned IP addresses.
When a print job comes in, the lwsrv will look at the "%%Creator:"
line to see which Mac it came from and then look to see if any telnet
connections are comming from the IP address assigned to that mac. If not, it
will drop the print job, simulating a PostScript error message something along
the lines of "%%[ Error: User authorization failure, please log in ]%%". The
Mac printer driver should then obligingly put that message up in a dialog box.
If somebody is logged in, lwsrv will change the "%%Creator:" line
to indicate that user and do a setuid to that user so the lpr accounting
charges the job to the right place. Thus, to print something, you need to
launch telnet and login to the vax. You don't have to do anything, just
keep the login connection open in the background.
What do you think? Does this sound reasonable? I'm not worried
about possible sophisticated ways to spoof it, just that it will prevent
casual users from using the LaserWriter without their usage being accounted
for.
--
Roy Smith, Public Health Research Institute
455 First Avenue, New York, NY 10016
{allegra,philabs,cmcl2,rutgers,hombre}!phri!roy -or- roy@alanine.phri.nyu.edu
"The connector is the network"inei@cs.glasgow.ac.UK (Nick Nei) (06/01/89)
Roy Smith in NY writes: > A friend of mine wants to have people on a public Mac be able to print >to a LaserWriter and have their printer usage accounted for. I think I've >worked out a neat way to do this and wanted to see what other people thought. > > The basic setup will be an Ultrix vax with the LW attached to a 9600 >baud serial line. A Kinetics KFPS-4 will bridge to an AppleTalk net with some >Macintoshes on it. All the Macs (probably Mac-II's with 2-4 Mbytes) will run >multifinder. The vax will be running a modified version of lwsrv and the >Macs will have staticly assigned IP addresses. > > When a print job comes in, the lwsrv will look at the "%%Creator:" >line to see which Mac it came from and then look to see if any telnet >connections are comming from the IP address assigned to that mac. If not, it >will drop the print job, simulating a PostScript error message something along >the lines of "%%[ Error: User authorization failure, please log in ]%%". The >Mac printer driver should then obligingly put that message up in a dialog box. > > If somebody is logged in, lwsrv will change the "%%Creator:" line >to indicate that user and do a setuid to that user so the lpr accounting >charges the job to the right place. Thus, to print something, you need to >launch telnet and login to the vax. You don't have to do anything, just >keep the login connection open in the background. > > What do you think? Does this sound reasonable? I'm not worried >about possible sophisticated ways to spoof it, just that it will prevent >casual users from using the LaserWriter without their usage being accounted >for. We've had the same problem with unscrupulous users and total strangers using our LaserWriters. This is what I have done: The user does not have to login via telnet. He/She must supply a user-name and password in the Chooser, like so: nick:embezzle The user must be within a page quota as well (but staff have no quota). lwsrv looks for %%For: nick:embezzle in the PostScript, breaks it up and checks against /etc/passwd.laser (passwords are encrypted) and /usr/spool/pages.laser (page-count file for user). If user fails validation, lwsrv prints a page on the LaserWriter giving reasons why job was not printed. If user passes validation, papif send the job to LaserWriter and updates /usr/spool/pages.laser file. Our LaserWriters are on LocalTalk, but users can reach it because the product name has been changed, hence they are forced to use the one published by lwsrv. But personal LaserWriters are not "hidden". They have names like "G171.LocalTalk" to remind users that they should use it only if they have access to the room. If any pages are found unaccounted for, the system sends me a message and I will will be alerted that someone might have breached security. But for fool-proof security, we can connect the LaserWriter to a SUN via serial link and print that way. Users can change their password using lwpasswd command, like the passwd commond on UNIX. lwsrv also does a setuid when it lprs the job, so users can cancel their own job or see who is ahead of them in the queue. We have used this method for nearly a year. It is gratifying to meet someone from another University of Department complaining that they cannot use our LaserWriters. If anyone needs the modified lwsrv and papif code, send me a note. Mail: Nick Nei, Computing Science Dept., Glasgow Univ., 17 Lilybank Gardens, Glasgow G12 8QQ, UK. Tel: (041) 339 8855 x 5457 ARPA: inei%cs.glasgow.ac.uk@nsfnet-relay.ac.uk USENET: inei@cs.glasgow.uucp
mnei@cs.glasgow.ac.UK (Nick Nei) (06/01/89)
Roy Smith in NY writes: > A friend of mine wants to have people on a public Mac be able to print >to a LaserWriter and have their printer usage accounted for. I think I've >worked out a neat way to do this and wanted to see what other people thought. > > The basic setup will be an Ultrix vax with the LW attached to a 9600 >baud serial line. A Kinetics KFPS-4 will bridge to an AppleTalk net with some >Macintoshes on it. All the Macs (probably Mac-II's with 2-4 Mbytes) will run >multifinder. The vax will be running a modified version of lwsrv and the >Macs will have staticly assigned IP addresses. > > When a print job comes in, the lwsrv will look at the "%%Creator:" >line to see which Mac it came from and then look to see if any telnet >connections are comming from the IP address assigned to that mac. If not, it >will drop the print job, simulating a PostScript error message something along >the lines of "%%[ Error: User authorization failure, please log in ]%%". The >Mac printer driver should then obligingly put that message up in a dialog box. > > If somebody is logged in, lwsrv will change the "%%Creator:" line >to indicate that user and do a setuid to that user so the lpr accounting >charges the job to the right place. Thus, to print something, you need to >launch telnet and login to the vax. You don't have to do anything, just >keep the login connection open in the background. > > What do you think? Does this sound reasonable? I'm not worried >about possible sophisticated ways to spoof it, just that it will prevent >casual users from using the LaserWriter without their usage being accounted >for. We've had the same problem with unscrupulous users and total strangers using our$LaserWriters. This is what I have done: The user does not have to login via telnet. He/She must supply a user-name and password in the Chooser, like so: nick:embezzle The user must be wmthin a page quota as well (but staff have no quota). lwsrv looks for %%For: nick:embezzle in the PostScript, breaks it up and checks against /etc/passwd.laser (passwords are encrypted) and /usr/spool/pages.laser (page-count file for user). If user fails validation, lwsrv prints a page on the LaserWriter giving reasons why job was not printed. If user passes validation, papif send the job to LaserWriter and updates /usr/spool/pages.laser file. Our LaserWriters are on LocalTalk, but users can reach it because the product name has been changed, hence they are forced to use the one published by lwsrv. But personal LaserWriters are not "hidden". They have names like "G171.LocalTalk" to remind users that they should use it only if they have access to the room. If any pages are found unaccounted for, the system sends me a message and I will will be alerted that someone might have breached security. But for fool-proof security, we can connect the LaserWriter to a SUN via serial link and print that way. Users can change their password using lwpasswd command, like the passwd commond on UNIX. lwsrv also does a setuid when it lprs the job, so users can cancel their own job or see who is ahead of them in the queue. We have used this method for nearly a year. It is gratifying to meet someone from another University of Department complaining that they cannot use our LaserWriters. If anyone needs the modified lwsrv and papif code, send me a note. Mail: Nick Nei, Computing Science Dept., Glasgow Univ., 17 Lilybank Gardens, Glasgow G12 8QQ, UK. Tel: (041) 339 8855 x 5457 ARPA: inei%cs.glasgow.ac.uk@nsfnet-relay.ac.uk USENET: inei@cs.glasgow.uucp