Configuring Bitvise SSH Server (WinSSHD) as the SSH service for Aspera Server Products

IN THIS ARTICLE:

  1. Install Aspera server software
  2. Install WinSSHD
  3. Configure Windows Firewall for Aspera transfers
  4. Configure Bitvise SSH Server (WinSSHD)server policies
  5. Configure user accounts
  6. Add a Domain Group
  7. Configure server policies by domain group or user in the Enterprise Server GUI
  8. Display your mounted drives on Enterprise Server
  9. Configure user/group for Public Key Authentication

Overview

Aspera server products running on Windows will by default install OpenSSH, which is a third-party component used to authenticate Aspera FASP transfers. In most cases OpenSSH is more than adequate for this purpose, but there are some rare cases where an alternative SSH server is required. These include but are not limited to:

  • The need to automatically log on to a Windows CIFS share, enabling caching of user credentials for the share
  • Enabling authentication by Windows group

We strongly recommend you to contact Aspera before changing the SSH server on your machine.

Bitvise SSH Server (WinSSHD) can be used in place of the OpenSSH service that is pre-installed with the Aspera Server products (Enterprise Server and Connect Server) as an alternative, fully-featured SSH service. This document overviews how to configure it for use with the Aspera products, and highlights key security features.

Environment

  • Product: Enterprise Server 3.0 or above
  • Operating System: Windows
  • Bitvise SSH Server (WinSSHD): 6.07 or above

1. Install Aspera server software

If you have already installed Aspera Server software on your machine proceed to Step 1.2. If you have not yet installed, proceed to step 1.1.

1.1 Download and install the Aspera Server product of your choice. When installing the software, you must ensure to not install OpenSSH. Once you have started the installation, click Custom and then click SSH Server and select Entire feature will be unavailable. Proceed to Step 2.

one.jpg

1.2 After installing the Aspera server product, navigate to Control Panel > Administrative Tools > Services. Find the entry OpenSSH Service, right click it and select Properties. In the General tab, change the Start-up type from Automatic to Disabled.

two.jpg

 

2. Install WinSSHD

Download and install Bitvise SSH Server (WinSSHD) from the Bitvise web site. If you are installing Bitvise SSH Server (WinSSHD) as part of an Aspera evaluation, Bitvise provides a 30-day free trial.

2.1 Installation

Start the installation from the file you downloaded from the Bitvise website:

three.jpg

When prompted, select the Standard installation:

4.jpg

Bitvise SSH Server (WinSSHD) should now be installed on your machine. The Bitvise SSH Server (WinSSHD) control panel will launch on your screen.

For further documentation on Bitvise SSH Server (WinSSHD) please see the Bitvise website.

 

3. Configure Windows Firewall for Aspera transfers

Check if your Windows Firewall is enabled or disabled by going to Control Panel > Windows Firewall.

If Windows Firewall on your machine is disabled you can ignore this step and proceed to Step 4. If your Windows Firewall is turned on, or you wish to use Windows Firewall on your server, it is easy to configure the ports required by Aspera. Please refer to this article (Configuring Windows Firewall to Enable Aspera FASP). transfers).

4. Configure Bitvise SSH Server (WinSSHD) server policies

4.1 Launch the Bitvise SSH Server (WinSSHD) Control Panel from the Programs menu, if not already launched. 

In the main Server tab, choose the Advanced Bitvise SSH Server (WinSSHD) Settings. On the Settings tree, under Server, select Bindings and UpnP. Edit the existing rule and set the Listening Port to 33001 (or whatever TCP port you have chosen).

5.jpg

 

4.2 Should you wish to change the SSH port for which Bitvise SSH Server (WinSSHD) listens simply go back to the Bitvise SSH Server (WinSSHD) control panel and then select Bindings and UPnP. Click Edit and change the listening port to the required port number.

4.3 If your Windows Firewall is disabled, please proceed to Step 5. If it is enabled, click Windows Firewall in the Bitvise SSH Server (WinSSHD) control panel and ensure SSH Ports and Forwarded ports are set to Do not change Windows Firewall settings:

6.jpg

 

5. Configure user accounts

Bitvise SSH Server (WinSSHD) allows three types of user accounts to authenticate securely over SSH: Virtual Accounts (which have no meaning to the Windows OS), Local Windows accounts, and Domain Windows accounts.

To add an account go to Windows Accounts and click Add.

5.1 Add a Single Windows Domain Account

Under Windows account domain, enter the domain name for the user account (as the short name COMPANY or fully qualified name COMPANY.COM). Under Windows account name, enter the user name.

5.2 Add a Local Windows Account
Leave the Windows Domain field blank and simply enter the Windows account name. Proceed to 5.3.

5.3 Set Default Terminal Shell to Aspera Shell
Under Use default terminal shell, uncheck the option, which will reveal a browse dialog box. Browse and select the Aspera shell, in Program Files\Aspera\Enterprise Server\bin\aspshell.exe The aspshell will bound all file system operations for the user, such as listing directory contents, uploading and downloading files, etc

5.4 Set Exec Request Prefix to Aspera Shell
Under Exec Request Prefix put:

 Program Files\Aspera\Enterprise Server\bin\aspshell.exe -c 

Note: The Default Initial Directory is not meaningful for Aspera transfers and should be left at the default value (%HOME%). The Aspera server software will enforce the document root configured for the user, and has no relation to this setting.

For other settings please refer to the screenshot below:

7.png

5.4 Set Logon Type (Depending on your security policies)
If the user account does not have the right to Log on locally, you will need to change the Logon Type from Interactive to Network. The default Interactive logon type grants a user identical Windows permissions as if the user logged on directly to the server from a keyboard. Login with this logon type will fail if the user does not have the right to Log on locally configured in the Windows security policy for the server. On domain controllers, this right is typically only granted to administrators my(but is granted to all users in the the default Windows configuration). The Network logon type will work when the user does not have the right to Log on locally, and is sufficient for all Aspera transfer and remote file browsing operations. We recommend using Interactive logon for users with roaming profiles.

6. Add a Domain Group

The procedure for enabling all users in a domain group to login is identical to enabling a single user. Simply enter the Group Name in place of the individual user name.

6.1 Under Windows account domain, enter the domain name for the group (as the short (SUP) or fully qualified name (sup.asperasoft.lab)). Under Windows group, enter the group name.

Note: Make certain to delete the entry for Everyone, or edit to disable login access (unless you actually want all users in the Everyone group to be able to log in.)

6.2 Set the Default Terminal Shell to the ‘Program Files\Aspera\Enterprise Server\bin\aspshell.exe’ executable and the Exec Request Prefix to:

Program Files\Aspera\Enterprise Server\bin\aspshell.exe -c

Finally, you must add the domain name to the Domain Order, e.g. SUP or sup.asperasoft.lab as in our example. This is necessary for authentication through the Aspera tools to work properly, and is not optional.

6.3 Set Logon Type (Depending on your security policies)
If the user account does not have the right to “Log on locally”, you will need to change the Logon Type from Interactive to Network. The default Interactive logon type grants a user identical Windows permissions as if the user logged on directly to the server from a keyboard. Login with this logon type will fail if the user does not have the right to “Log on locally” configured in the Windows security policy for the server. On domain controllers, this right is typically only granted to administrators (but is granted to all users in the the default Windows configuration). The Network logon type will work when the user does not have the right to Log on locally, and is sufficient for all Aspera transfer and remote file browsing operations. We recommend using Interactive logon for users with roaming profiles.

1111.jpg

 

1112.jpg

1113.jpg

For other settings please refer to the pictures above.

7. Configure server policies by Domain Group or user in the Enterprise Server GUI

This step is only needed if you need to set up document roots (or any other server side policies) by group or by user accounts that will authenticate through Bitvise SSH Server (WinSSHD). For example, if you need to restrict the area of the file system to which a login user has access to browse or transfer, you will need to a configure a document root for the user. This can also be done once on a group-wise basis if the docroots for all users in the group are within a common area. The same approach applies to all group or user configuration options in the various tabs –Authorization, Bandwidth, File Handling, Docroot. We use the Docroot (“docroot”) as an example.

For example, if the document roots for each user in a domain are within C:/Data/[user], you will need to set a document root entry in the Aspera Enterprise Server GUI using the value C:\Data\$(user). Launch the Enterprise Server GUI, and click Configuration to open the configuration panel. Under Groups, add a new group, e.g. KING\Domain Users. Click on the Docroot tab in the series of tabs on the right, and click the Override option for the Absolute Path setting. Type in the value for the docroot, e.g. C:\data\$(user). Now when a user in Domain Users, e.g. sup\xfer connects to the server, he/she will be placed in the directory C:\data\xfer.

 

8. Display your mounted drives on Enterprise Server

Open BitVise SSH Server. In the main Server tab, choose the Advanced Bitvise SSH Server (WinSSHD) settings.

Under Access Control, click Windows accounts. Click Add to add a domain account for your transfer user. Under Session setup, click Windows file shares.

From here you can add a share for each location your user will access, and specify a mount drive for each UNC path. Click Add to add a share.

Enter the path to the remote directory, and select Map to local drive and Must use this drive. Select the appropriate Local drive:

bitvise1.jpg

Now, the drive will be available in the Enterprise Server GUI:

bitvise2.jpg

 

9. Configure user/group for Public Key Authentication

If you want to configure your product to use Aspera Public Key Authentication to be used with other Aspera Products like Shares or Faspex you need to import the Aspera Public Key into WinSSHD.

Locate the Aspera public key and copy to your Desktop in order to edit it, Aspera Public Key is usually inside var folder of your Aspera Installation

 

Note: Enterprise / Connect Server: C:\Program Files (x86)\Aspera\Enterprise Server\var\aspera_id_dsa.pub
Point-To-Point: C:\Program Files (x86)\Aspera\Point-To-Point\var\aspera_id_dsa.pub

Edit the file you already copied to remove unnecessary commands for WinSSHD

remove everything until ssh-* and save the file, the output should be like the picture below

Now open WinSSHD settings editor and go to your User or Group settings and click on Authentication

Now verify that Public key Authentication is set to Allow and Allow Public Key Management is checked like the picture below

Click on Public keys to open the import window

and click on Import and chose the file you've just modified. After the import the Public Keys management windows should look like the following picture

Click Close until you close all windows. Now you can use Aspera Public Key to authenticate.

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk