Require Token Authorization: Set from the Command Line

When transfer users or groups are configured to require token authorization, only transfers initiated with a valid token (transfer token, basic token, or bearer token) are allowed to transfer to or from the server. Token authorization can be set independently for incoming transfers and outgoing transfers.

1. Choose or create the transfer user on the server.
   The user should not have a password. If the system does not allow this, create a very large password.
2. Set the IBM Aspera Connect public SSH key as an authorized key for the transfer user and ensure that they own the file.
   1. Create the .ssh directory in the user's home folder.

      # mkdir /home/aspera_user_1/.ssh/

   2. Copy the Connect public SSH key into .ssh and rename it authorized_keys (or append the public key to authorized_keys if the file already exists).

      # cp /opt/aspera/var/aspera_tokenauth_id_rsa.pub /home/aspera_user_1/.ssh/authorized_keys

   3. Ensure that .ssh and .ssh/authorized_keys are owned by the user.

      # chown -R aspera_user_1:aspera_user_1 /home/aspera_user_1/.ssh
      # chmod 600 /home/aspera_user_1/.ssh/authorized_keys
      # chmod 700 /home/aspera_user_1
      
      # chmod 700 /home/aspera_user_1/.ssh

3. To require token authorization for uploads and downloads, and to set the token encryption key, run the following command:

   # asconfigurator -x "set_user_data;user_name,aspera_user_1;authorization_transfer_in_value,token;authorization_transfer_out_value,token;token_encryption_key,key"

   Aspera recommends that the key be a random string of at least 20 characters. This command creates the following text in aspera.conf:

   <user>
       <name>aspera_user_1</name>
       <authorization>
           <transfer>
               <in>
                   <value>token</value>
               </in>
               <out>
                   <value>token</value>
               </out>
           </transfer>
           <token>
               <encryption_key>gj5o930t78m34ejme9dx</encryption_key>
           </token>
       </authorization>
       <file_system>
             ...
             ...  
       </file_system>
   </user>

   You can also configure token-authorization settings in a <group> section to be applied to all users in the group or in the <default> section to apply them globally for all users. For instructions on how to run asconfigurator commands to do so, as well as to view other token configuration options, see User, Group and Default Configurations.