Workaround to use Aspera transfer servers on Mac OS X 10.11 El Capitan

Description

The latest release of Mac OS X 10.11 El Capitan contains heightened security policies that break the functionality of Aspera transfer servers.

Specifically, El Capitan disables SSH-based services because it disallows anything to be symbolically linked into /usr/bin. This facet of the operating system prevents  ssh from being able to locate ascp and other services, which is an essential part of interacting with a remote transfer server.

A future release of Enterprise Server/Connect Server/P2P will provide a fix to the problem, at which time El Capitan will be fully supported. In the meantime, you may use the workaround to these issues detailed below.

Environment

  • Product: Enterprise Server, Connect Server, Point to Point
  • Operating System: Mac OS X 10.11 El Capitan

Workaround

1. Open the following file in a text editor:

  • /etc/ssh/sshd_config

Look for the PermitUserEnvironment setting. Uncomment the setting by removing the # in front, and change the value to yes so it looks like the following:

PermitUserEnvironment yes

Next look for the PasswordAuthentication setting. Uncomment the setting by removing the # in front, and change the value to yes so it looks like the following:

PasswordAuthentication yes

Save and exit.

2.  (optional) Map an alternate TCP port (33001 is the Aspera standard) on the external IP address of your network to TCP port 22 on the private IP address of the Mac hosting the Aspera transfer server.

If you choose to configure a port mapping other than 22 or 33001 on your external IP address, you will need to configure your Aspera clients to use this alternate port. See your client's product documentation for instructions.

If you are unsure of how to configure your system to map an alternate TCP port, contact Aspera Support.

This step is a good practice to lessen the number of automated attacks that may come in on port 22, however, doing so is not required. Your Aspera transfer server functions as expected on port 22.

3. Add an environment file for every transfer user. A transfer user is a user you have configured on your server in aspera.conf, either directly or using the Configuration window of the GUI.

Create a file called environment at the following location for each transfer user, where user is the username:

  • /Users/user/.ssh/environment

Paste the following content into the file:

PATH=/bin:/usr/bin:/usr/sbin:/sbin:/usr/local/sbin:/usr/local/bin:/opt/pkgconfig/bin:/Library/Aspera/bin:/Library/Aspera/sbin

4. If you previously configured your transfer users to use aspshell, you will need to modify the configured aspshell path. 

Go to System Preferences > Users & Groups. Click the lock icon on the bottom left and enter in admin credentials. Right click an account using aspshell and select Advanced Options.

Change the login shell from /usr/bin/asphell to /Library/Aspera/bin/aspshell.

Click OK to finish.

5. Your transfer server on your Mac should now be able to run ascp as normal.

If other services are still not able to run, you can run them manually with the following commands:

$ /usr/sbin/sshd
$ /Library/Aspera/sbin/asperacentral
$ /Library/Aspera/sbin/asperanoded
$ /Library/Aspera/sbin/asperahttpd
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk