| Set up Users and Groups |
34
Note:
If you have Apache 2.4.4, you may get authentication errors when trying to provide a password to view
the site. As a workaround, run
htpasswd
with the
-b
option and enter the password on the command line as
follows:
# htpasswd -b /opt/aspera/etc/webpasswd asp1
password
2.
Create default (global) transfer settings.
To set default values to prohibit transfers in and out, set the encryption key, and set the default docroot for all
users, run the following commands (if not already set):
# asconfigurator -x "set_node_data;authorization_transfer_in_value,deny"
# asconfigurator -x "set_node_data;authorization_transfer_out_value,deny"
# asconfigurator -x "set_node_data;token_encryption_key,
token_key
"
# asconfigurator -x "set_node_data;absolute,
docroot
"
For server security, Aspera recommends the following settings:
• Deny transfers by default, then enable transfers for individual users as required (described in a later step).
• Set the token encryption key to a string of at least 20 random characters.
• Set a default docroot to an empty folder or a part of the file system specific to each user.
If there is a pattern in the docroot of each user, for example,
/sandbox/
username
, you can use a substitutional
string. This way you assign independent docroot to each user without setting a docroot for each user individually
Substitutional String
Definition
Example
$(name)
system user's name
/sandbox/$(name)
$(home)
system user's home directory
$(home)/Documents
3.
For server security, Aspera recommends restricting users' read, write, and browse permissions.
Users are given read, write, and browse permissions to their docroot by default. For increased security, change the
global default to deny these permissions:
# asconfigurator -x
"set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false"
Run the following commands to enable permissions per user, as required:
# asconfigurator -x "set_user_data;user_name,
username
;read_allowed,true"
# asconfigurator -x "set_user_data;user_name,
username
;write_allowed,true"
# asconfigurator -x "set_user_data;user_name,
username
;dir_allowed,true"
4.
If you provided an Aspera license during installation (rather than an entitlement), ensure that the transfer user has
read permissions on the Aspera license file (
aspera-license
) so that they can run transfers.
The license file is found in:
/opt/aspera/etc/
5.
Restrict user permissions with
aspshell
.
By default, all system users can establish a FASP connection and are only restricted by file permissions. Restrict
the user's file operations by assigning them to use
aspshell
, which permits only the following operations:
• Running Aspera uploads and downloads to or from this computer.
• Establishing connections in the application.
• Browsing, listing, creating, renaming, or deleting contents.
These instructions explain one way to change a user account or active directory user account so that it uses the
aspshell
; there may be other ways to do so on your system.
Run the following command to change the user login shell to
aspshell
:
# sudo usermod -s /bin/aspshell
username