Error code 19: failed to authenticate

Description

Error 19 is a FASP management error code that refers to authentication failures.

Because Aspera transfers authenticate through SSH, this error specifically indicates an SSH authentication failure, most likely involving credentials.

The SSH credentials of a transfer user are the username and password of a system user on the machine with the transfer server. Alternatively, SSH credentials can consist of public and private keys which allow for authentication without inputting a password.

Examples of this error

This error can manifest itself in several ways, including in the GUI application for your server, the command line if you’re transferring with ascp, and in the transfer log file.

GUI

When trying to connect to a server with invalid credentials (such as improperly configured SSH keys), you may receive an “Authentication failed” error window.

auth_failed_gui.jpg

ascp command line

After attempting to run an ascp command to transfer to or from a server, invalid credentials would result in the following error message:

ascp: failed to authenticate, exiting.

Session Stop  (Error: failed to authenticate)


Log file

The aspera-scp-transfer.log file records helpful information for each attempted transfer, labelled by the date and time attempted. For a reference of the location of this log file on your system, please see this article (Where are the Client or Server logs located?).

A sample of what would be logged for a failed transfer with error code 19 is the following:

2015-09-15 14:10:39 [59c-00001c80] ERR [ascp] SSH authentication failed
2015-09-15 14:10:39 [59c-00001c80] ERR failed to authenticate
2015-09-15 14:10:39 [59c-000023c8] LOG FASP Session Start uuid=ff820f21-f00f-4ab5-ab7e-ceba3a18a81c op=send
status=failed errcode=19 errstr="Authentication failure"

Troubleshooting

General

If you are authenticating to the transfer server with a password, check that the username and password are valid. The username and password must be that of an existing system user account on the server machine.

If you are authenticating with SSH keys, make sure they have been installed properly. You must have created a public-private key pair, and installed the private key at the appropriate location on your local machine. The public key must in turn be installed at the appropriate location on the server machine, which likely would be done by the machine’s server administrator.

You can double check your server connection details in the GUI by clicking the Connections button and selecting the server on the left. Ensure that the proper method of authentication is selected, and either fill in the correct password or choose the correct public key. You can click Test Connection to verify your credentials.

 

connection_gui.jpg

 

If you are using SSH keys via the command line, make sure you are referencing the correct path to the private key with the -i option:

ascp -i /path/to/private/key file1 janedoe@10.0.201.74:/

Faspex

If you receive this error while using Faspex, try the following troubleshooting measures on the machine with Faspex's transfer server:

1. Make sure SELinux is disabled. For instructions on how to disable SELinux, see this Knowledge Base article.

2. (Linux and Mac OS X systems) Check the permissions of the following directoriesr:

Linux

  • /home
  • /home/faspex
  • /home/faspex/.ssh

Mac

  • /Users
  • /Users/faspex
  • /Users/faspex/.ssh

These directories must allow the user read, write and execute permissions. The faspex and .ssh folder should specifically be set to a permission of 700, for example:

Linux
# ls -l /home

Mac
# ls -l /Users
drwx------. 4 faspex faspex 39 Oct  2 21:03 faspex

If you find that the permissions differ, change them with the following command:

Linux
# chmod 700 /home/faspex

Mac
# sudo chmod 700 /Users/faspex

3. Ensure that the faspex directory has a .ssh sub-directory that contains the file authorized_keys:

Linux
# ls -l /home/faspex/.ssh
-rw------- 1 faspex faspex 700 Oct  2 21:03 authorized_keys

Mac
# ls -l /Users/faspex/.ssh
-rw------- 1 faspex faspex 700 Oct  2 21:03 authorized_keys

On Windows, navigate to the folder via the GUI and provide Administrator credentials to check.

For Linux and Mac, you should also check that this file is owned by faspex and has access to the faspex group, as in the example above. If faspex is not the owner and group, you can make it so with the following command:

# sudo chown -R faspex:faspex /home/faspex/.ssh/authorized_keys

4. Check that the Connect public SSH key is in the authorized_keys file, not the private key. The public key is located in the following location:

  • Windows: "C:\Program Files (x86)\Aspera\Enterprise Server\var\aspera_id_dsa.pub"
  • Linux: /opt/aspera/var/aspera_id_dsa.pub
  • Mac: /Library/Aspera/var/aspera_id_dsa.pub

5. Make sure the correct SSL certificate is in the appropriate location. For example, the location of the SSL certificate for Node API communication is defined in the aspera.conf file, in the <server> section such as the following:

<cert_file>
   /opt/aspera/etc/aspera_server_cert.pem
</cert_file>

6. Check that the authentication configuration on the faspex transfer user is set to token, not allow for both incoming and outgoing traffic.

The easiest way to check is via the command line with asconfigurator, a tool that edits and displays the configurations in aspera.conf.

Use the following command to see what the faspex transfer user's authentication is set to:

# asconfigurator -x "get_user_data;user_name,faspex" | grep "authorization.*value"
"user","faspex","authorization_transfer_in_value","token","AS_NULL","AS_NULL","AS_NULL","allow"
"user","faspex","authorization_transfer_out_value","token","AS_NULL","AS_NULL","AS_NULL","allow"

In the above example, the incoming and outgoing traffic are both set to token as expected. If they are set to anything other than token, you can reconfigure them with asconfigurator:

# asconfigurator -x "set_user_data;user_name,faspex;authorization_transfer_in_value,token"
# asconfigurator -x "set_user_data;user_name,faspex;authorization_transfer_out_value,token"

7. (Linux and Mac OS X systems) Ensure that the shell for user faspex is set to aspshell.

For more details on how to do so, see step 4 of this Knowledge Base article.

Shares

If you receive this error while using Shares, try the following troubleshooting measures on the offending node machine:

1. Make sure SELinux is disabled. For instructions on how to disable SELinux, see this Knowledge Base article.

2. (Linux and Mac OS X systems) Check the permissions of the following directories, where transfer_user is the transfer user set up for Shares:

Linux

  • /home
  • /home/transfer_user
  • /home/transfer_user/.ssh

Mac

  • /Users
  • /Users/transfer_user
  • /Users/transfer_user/.ssh

These directories must allow the user read, write and execute permissions. The transfer_user home folder and .ssh folder should specifically be set to a permission of 700, for example:

Linux
# ls -l /home

Mac
# ls -l /Users
drwx------   4 asp1   asp1     85 Oct 14 17:51 asp1

If you find that the permissions differ, change them with the following command:

Linux
# chmod 700 /home/faspex

Mac
# sudo chmod 700 /Users/faspex

3. Ensure that the transfer_user home directory has a .ssh sub-directory that contains the file authorized_keys:

Linux
# ls -l /home/transfer_user/.ssh
-rw------- 1 transfer_user transfer_user 700 Oct  2 21:03 authorized_keys

Mac
# ls -l /Users/transfer_user/.ssh
-rw------- 1 transfer_user transfer_user 700 Oct  2 21:03 authorized_keys

On Windows, navigate to the folder via the GUI and provide Administrator credentials to check.

For Linux and Mac, you should also check that this file is owned by the transfer_user and has access to the transfer_user group, as in the example above. If your transfer_user is not the owner and group, you can make it so with the following command:

# sudo chown -R transfer_user:transfer_user /home/transfer_user/.ssh/authorized_keys

4. Check that the Connect public SSH key is in the authorized_keys file, not the private key. The public key is located in the following location:

  • Windows: "C:\Program Files (x86)\Aspera\Enterprise Server\var\aspera_id_dsa.pub"
  • Linux: /opt/aspera/var/aspera_id_dsa.pub
  • Mac: /Library/Aspera/var/aspera_id_dsa.pub
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk