async binary offers command-line flags for preserving user ID and group ID on the destination host (
-j, respectively). For these features to work,
ascp must run as root on the destination, because only root has privileges to create a file or directory as another UID/GID.
However, some organizations have security policies which prohibit authenticating as root over the network. This article presents a method of authenticating as an ordinary user, and using
sudo to elevate privileges. The
async binary uses
ascp for the FASP transfers, so our solution must include
ascp as well.
async command contains a username that we authenticate to the server. In our example we'll use asp1. On the server,
ascp are invoked by an
ssh process running as asp1. Our method modifies the
$PATH variable of user asp1 so that, instead of calling the normal
ssh invokes scripts that call
This method has the advantage of applying only to user asp1 (other users would run
ascp normally). Permissions can be set on the scripts directory such that only user asp1 can execute them.
Perform steps 1-7 on the destination server.
1) Create user & group asp1
# groupadd asp1
# id asp1
# useradd -c "Async transfer user" -s /bin/bash -g 1002 -d /home/asp1 -m asp1
id command to find the GID of the new group asp1 (such as 1002), which you will supply to the
We recommend that you setup a designated account, such as asp1. Only user asp1 will execute
sudo. Other users who authenticate to the server will run
async in the standard manner.
2) Enable user asp1 to run
ascp as root
a. Edit the
b. If necessary, comment out the
sudo, so we must turn off the
requirettyfeature. This line may already be commented out.
c. Add the following line to the end of the file
asp1 ALL=NOPASSWD: /opt/aspera/bin/async, /opt/aspera/bin/ascp
ALLhere refers to "all hosts." If this
sudoersfile is consulted by other hosts, you should replace the
ALLkeyword with an alias restricting the scope to the localhost.
sudonormally asks for a password, so the
NOPASSWDkeyword bypasses this.
3) Prepare script directory
# mkdir /opt/aspera/sudo
a. Create a file named
/opt/aspera/sudo/async that contains the following content:
sudo /opt/aspera/bin/async $*
a. Create a file named
/opt/aspera/sudo/ascp that contains the following content:
sudo /opt/aspera/bin/ascp $*
6) Set permissions on the
# chown -R asp1:asp1 /opt/aspera/sudo
# chmod 100 /opt/aspera/sudo
# chmod 500 /opt/aspera/sudo/async
# chmod 500 /opt/aspera/sudo/ascp
7) Edit user asp1's
/home/asp1/.bashrc and add these lines:
Placement of this
PATH statement is often important. Some
.bashrc files contain a statement at the top to the effect of "if this is a non-interactive shell, ignore everything below here," like this:
# If not running interactively, don't do anything [ -z "$PS1" ] && return
In that case, your
PATH statement must come before this statement.
If there is already a
PATH statement in the
.bashrc file, modify the line accordingly. The important thing is for
/opt/aspera/sudo to appear in the path before
8) Now we are ready to try
async from the client.
$ async -N test1 -b /path/to/local/syncdb -B /path/to/remote/syncdb -utj -d /path/to/local/src -r asp1@server:/path/to/remote/dest -w asp1_passwd -K push -P 33001 --create-dir
What you should see on the server:
- new directory
/path/to/remote/destshould have files with their proper user groups
- sudo log entries in
/var/log/securenoting that user asp1 executed both
sudo error "sorry, you must have a tty to run sudo" indicates that you need to disable
requiretty. See step 2b.
sudo error "no tty present and no askpass program specified" indicates that you need to add the
NOPASSWD keyword to the
sudoers file. See step 2c.