Setting Up Token Authorization

When accounts on a transfer server are configured to require token authorization, only transfers initiated with a valid token are allowed to transfer to or from the server. The token authorization requirement can be set for individual users, entire user groups, or globally for all users. Token authorization can be set independently for incoming transfers and outgoing transfers.
Note: Token authorization is required for initiating transfers with the Shares product.

Set up token authorization for a transfer user as follows:

  1. Choose or create the transfer user on the server.
    The examples below use the transfer user aspera_user_1.
  2. Log in as the user to ensure that any created files are owned by the user.
    Create the directory .ssh and the file authorized_keys if they don't already exist. For example:
    /home/aspera_user_1/.ssh/authorized_keys
  3. Append the token-authorization public key to the user's authorized_keys file.
    Aspera provides a public key in the file aspera_tokenauth_id_rsa.pub stored in the following location:
    /opt/aspera/var/aspera_tokenauth_id_rsa.pub
  4. Ensure that .ssh and .ssh/authorized_keys are owned by the user.

    For example:

    drwxr-xr-x  2  aspera_user_1  xgroup  4096  Mar 20  2013  .ssh
-rw-r--r--  1  aspera_user_1  xgroup   674  Mar 20  2013  .ssh/authorized_keys
  5. Make sure the user has no password.
    If the system does not allow this, create a very large password.
  6. Make sure the user's login shell is aspshell.
    For information on setting this, see Securing Your SSH Server.
  7. Configure the user for token authorization
    To configure user authorization from the GUI, see Configuring Token Authorization from the GUI. To configure user authorization from aspera.conf, see Configuring Token Authorization in aspera.conf.
    Note: Instead of setting authorization for each user individually, you can set it for a group, or set it globally for all users.
  8. Create a node user and associate it with the transfer user.
    The examples below use the Node API user nuser.
    # /opt/aspera/bin/asnodeadmin -au nuser -x aspera_user_1 -p nuser_passwd
  9. Test the node user: 
    # curl -ki  -u nuser:nuser_passwd  https://hostname_or_ip:9092/info