[comp.protocols.appletalk] Limiting access

rbw@WILLIAMS.EDU (04/14/88)

This is a (hypothetical) psuedo-security question about CAP.  Picture
an Appletalk network shaped like this:
         +------  Faculty
        / +-----  Faculty
       / / +----  Student SE's
      / / /
      PhoneNet Star
      +-------------- Kbox ====== Suns on an ethernet with laserwriter
                                   and AUFS

We would like to have the students use AUFS volumes, but not laser writer
access that the Faculty must have.  Is this possible?  Ideas, comments
would be greatly appreciated.

-Richard Ward
rbw@cs.williams.edu
Williams College, Williamstown, MA

evan@SSYX.UCSC.EDU (Evan Schaffer) (04/14/88)

yes, we have a situation that is exactly what you describe.
here is what we are trying:

1. change the 'type' of the laserwriter to, for example, 'secretlaserwriter'.
then, mac's on the appletalk net will not be able to see them.
change the lwsrv process on the unix server (in our case we have suns,
vax 780's, and isi machines so far) so that the server talks to
'secretlaserwriter'. now you have access only through the unix host.

2. next we get both aufs and lwsrv to cooperate; that is,
lwsrv will throw away the job unless the requesting node is "logged in"
to an aufs volume.

this buys accounting with the normal pac mechanism for free
if you have lwsrv work as the user id that the mac is using 
for aufs. 

there are also the zone protection measures that can
be activated in the kbox, and other stuff you can do
in atalkatab to keep traffic local to a particular kbox
that are described earlier in info-appletalk, but they
don't offer the accounting features that messing with the
servers buys you. koreth@ssyx.ucsc.edu (also koreth@ucscb.ucsc.edu
in case mail is bad to ssyx) is the guy to talk to.

cck@CUNIXC.COLUMBIA.EDU (Charlie C. Kim) (04/14/88)

The lwsrv "cooperating with" Aufs idea will certainly work.  One note
though: the safest way to protect the LaserWriter is to use a serial
line to spool to it -- the laserwriter drivers are not tied to the
type "LaserWriter".

The (correct, but) long term solution is to use an authentication
system like Project Athena's Kerberos Authentication and Authorization
System to validate printing, file server, and access to other
services.

Charlie