This document describes a problem often encountered while integrating Aspera technologies into a browser based application using the JavaScript APIs.  

The issue arises when using the JavaScript API, primarily where one would typically submit a FASP URL or a transfer_spec JSON object to one of the JavaScript functions to start a transfer. Once a function is called the Aspera Connect Client will prompt the user for a username and password to establish the connection with the Aspera Connect Server.  This is often undesirable because the user trying to perform the transfer has already logged into the application by providing a username and password.  This poses a bigger problem than just a subpar user experience because the username and password required by Aspera Server are not the same as those for the application.

Solution

All Aspera software uses SSH for authentication and all Aspera credentials are essentially SSH credentials.  Because of this Aspera software supports the two authentication methods of SSH:

  • Username and Password
  • Public and Private Keys

It is possible to tell Aspera Connect which of these mechanisms it should use for authentication.  If you are using Aspera Connect 2.8+ you can use the "authentication" attribute in the transfer_spec JSON object. Setting this to PASSWORD will cause Connect Client to prompt for a username and password for authentication and if the setting is set to TOKEN it will cause Connect Client to use the key based authentication and not prompt for a username and password. If you are using Aspera Connect 2.7 you can use the optional FASP URL parameter "auth".  Setting auth to YES will cause Connect Client to prompt for a username and password for authentication and if the setting is set to NO it will cause Connect Client to use the key based authentication and not prompt for a username and password.

In SSH key based authentication the client uses a private key to connect to the server and the server has the public key corresponding to the private key already installed.  While doing key based authentication with the Aspera Connect Client there is no way to specify the private key to be used; Connect Client will always use the same private key that is installed by the Connect Client installer.  The public key corresponding to the private key is installed by the Aspera Connect Server Installer (aspera_id_dsa.pub). This means that for SSH key authentication to work one needs to setup the public key on the server, which can be done by:

  • Determining the user that will need to connect to Aspera Server using SSH keys.  This is usually the username that would be specified by the username in the FASP URL or the "remote_user" attribute that would be in the transfer_spec JSON object.
  • Once you know that you need to create a directory called ".ssh" in the home directory of the user on the server.  This would normally be located in one of the following directories, depending on your OS (note: you may need to use a command prompt or terminal to create these directories):
    • Windows XP/2003 and earlier: C:\Documents and Settings\asperaweb\.ssh
    • Windows Vista/2008 and newer: C:\Users\asperaweb\.ssh
    • Macintosh: /Users/asperaweb/.ssh
    • Linux: /home/asperaweb/.ssh
  • Once you have the directory created, copy the contents of the file aspera_id_dsa.pub to a file named "authorized_keys" inside the .ssh folder.  The file aspera_id_dsa.pub can usually be found in one of the following directories, depending on your OS:
    • Windows (Enterprise Server): C:\Program Files\Aspera\Enterprise Server\var
    • Windows (Point-to-Point): C:\Program Files\Aspera\Point-to-Point\var
    • Macintosh: /Library/Aspera/var
    • Linux: /opt/aspera/var

Warning

By bypassing authentication using SSH keys can create a security vulnerability.  Anyone that can generate a FASP URL to a transfer_spec JSON object and has the username for which the keys are setup will be able to perform transfers to the Aspera Connect Server.  To block this vulnerability it is recommended that Token Based Authentication be used whenever authentication is bypassed using SSH keys.

Video player

Video

×