Setting Up Transfer Users (Terminal)

The HST Server uses system accounts to authenticate connections from Aspera clients. The system users must be added and configured as Aspera transfer users before clients can browse the server file system or run FASP transfers to and from the server. When creating transfer users, you can also specify user-specific settings, such as transfer bandwidth, docroot, and file handling. User configuration is an important part of securing your server. For a complete description, see Configuring Shares Security.

Important Configuration Notes:

  • Some Aspera features require a docroot in URI format or require a file restriction instead of a docroot. For more information, see Docroot vs. File Restriction.
  • If users connect to the server by providing IBM Aspera Shares credentials or by providing Node API credentials that are associated with the transfer user, changes to a user's configuration, such as their docroot, are not applied to the user until asperanoded is restarted. For instructions, see Restarting Aspera Services.

To configure a system user account as an Aspera transfer user:

  1. To allow the user to access the HST Server web UI (deprecated), configure the user for Apache authentication.
    In addition to SSH authentication, HST Server uses Apache's authentication to authorize web UI access. To set up a system user (asp1 in this example) for Apache authentication, run the htpasswd command below.
    Note: On the first run of htpasswd, you must use the -c option to create the file for credential storage, webpasswd. Do not use the -c option otherwise. 
    # htpasswd [-c ]/opt/aspera/etc/webpasswd asp1
    Note: If you have Apache 2.4.4, you may get authentication errors when trying to provide a password to view the site. As a workaround, run htpasswd with the -b option and enter the password on the command line as follows: 
    # htpasswd -b /opt/aspera/etc/webpasswd asp1 password
  2. Create default (global) transfer settings.
    To set default values to prohibit transfers in and out, set the encryption key, and set the default docroot for all users, run the following commands (if not already set):
    # asconfigurator -x "set_node_data;authorization_transfer_in_value,deny"
# asconfigurator -x "set_node_data;authorization_transfer_out_value,deny"
# asconfigurator -x "set_node_data;token_encryption_key,token_key"
# asconfigurator -x "set_node_data;absolute,docroot"

    For server security, Aspera recommends the following settings:

    • Deny transfers by default, then enable transfers for individual users as required (described in a later step).
    • Set the token encryption key to a string of at least 20 random characters.
    • Set a default docroot to an empty folder or a part of the file system specific to each user.
    If there is a pattern in the docroot of each user, for example, /sandbox/username, you can use a substitutional string. This way you assign independent docroot to each user without setting a docroot for each user individually
    Substitutional String Definition Example
    $(name) system user's name /sandbox/$(name)
    $(home) system user's home directory $(home)/Documents
  3. For server security, Aspera recommends restricting users' read, write, and browse permissions.
    Users are given read, write, and browse permissions to their docroot by default. For increased security, change the global default to deny these permissions: 
    # asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false"

    Run the following commands to enable permissions per user, as required:

    # asconfigurator -x "set_user_data;user_name,username;read_allowed,true"
# asconfigurator -x "set_user_data;user_name,username;write_allowed,true"
# asconfigurator -x "set_user_data;user_name,username;dir_allowed,true"
  4. If you provided an Aspera license during installation (rather than an entitlement), ensure that the transfer user has read permissions on the Aspera license file (aspera-license) so that they can run transfers.
    The license file is found in: /opt/aspera/etc/
  5. Restrict user permissions with aspshell.
    By default, all system users can establish a FASP connection and are only restricted by file permissions. Restrict the user's file operations by assigning them to use aspshell, which permits only the following operations:
    • Running Aspera uploads and downloads to or from this computer.
    • Establishing connections in the application.
    • Browsing, listing, creating, renaming, or deleting contents.

    These instructions explain one way to change a user account or active directory user account so that it uses the aspshell; there may be other ways to do so on your system.

    Run the following command to change the user login shell to aspshell:

    # sudo usermod -s /bin/aspshell username

    Confirm that the user's shell updated by running the following command and looking for /bin/aspshell at the end of the output:

    # grep username /etc/passwd
username:x:501:501:...:/home/username:/bin/aspshell
    Note: If you use OpenSSH, sssd, and Active Directory for authentication: To make aspshell the default shell for all domain users, first set up a local account for server administration because this change affects all domain users. Then open /etc/sssd/sssd.conf and change default_shell from /bin/bash to /bin/aspshell.
  6. Configure user-specific transfer settings.
    Besides the default (global) transfer settings, you can create user-specific and group-specific transfer settings. The user-specific settings have the highest priority, overriding both group and global settings. For more information, see Configuration Precedence.

    To set user-specific values to authorize transfers in and out, docroot, and target rate, run the following commands:

    # asconfigurator -x "set_user_data;user_name,username;authorization_transfer_in_value,allow"
# asconfigurator -x "set_user_data;user_name,username;authorization_transfer_out_value,allow"
# asconfigurator -x "set_user_data;user_name,username;absolute,docroot"
# asconfigurator -x "set_user_data;user_name,username;transfer_in_bandwidth_flow_target_rate_default,rate"
# asconfigurator -x "set_user_data;user_name,username;transfer_out_bandwidth_flow_target_rate_default,rate"

    For more information about other user settings, see aspera.conf - Authorization Configuration, aspera.conf - Transfer Configuration, and aspera.conf - File System Configuration.

  7. Verify the configuration.
    If you modify aspera.conf by editing the text, use the following command to verify the XML form and values: 
    # /opt/aspera/bin/asuserdata -v
  8. Restart asperanoded and asperacentral to activate your changes.
    Run the following commands to restart asperanoded:
    # /etc/init.d/asperanoded restart
    Run the following command in a Terminal window to restart asperacentral:
    # /etc/init.d/asperacentral restart