SSH access - ATNF specifics - Australia Telescope National Facility

We have made a change to how we provide SSH access.
The change was made on Tuesday 1 July 2025 (UTC+1000).

The change is being introduced to improve security and better align with Australian Government requirements.

What’s changing

The changes will apply only to our external gateway machines:

venice.atnf.csiro.au
orion.atnf.csiro.au

Instead of users being able to log in with a password or a SSH key,
we are going to require users to use both a password and a SSH key.

This will apply to all users (staff, students and visitors), when they connect to orion or venice from a network outside of CSIRO. This will not apply to people connecting via CSIRO VPN.

This will introduce some complexity, which this page will help you to address.

Why the change

We need to have some kind of multi-factor authentication in place to comply with Australian Government requirements.

Next steps

Key-based logins: Everyone will need to set up a SSH key for login.
Change to password+key authentication
(optional) Changes to your personal SSH configuration

The instructions below are mainly aimed at users of UNIX-like operating systems (e.g. Linux, MacOS) . We have some brief notes for users of other systems.

Key-based logins

Most people will have done this already. If you haven’t, you will need some administrative help.

After 1 July 2025, you will need to email us, attaching your public key (and only the public key) to get this part of the setup completed.

Password + key authentication

Once this has been turned on, the login process looks like this:

laptop$ ssh abc123@venice.atnf.csiro.au
Enter passphrase for key ~/.ssh/id_ed25519:
abc123@venice.atnf.csiro.au's password:
venice%

The first prompt is for the passphrase to unlock your private key, located on your computer. (If there are no keys in the default location, you won’t see that prompt – and won’t be able to log in.) The second prompt is for the password on venice.

We can streamline this further with some configuration changes, described below.

Configuration changes (optional)

Note that this applies on your personal machine, not on venice or orion.
Add these lines to your ~/.ssh/config and remove any other lines that refer to ATNF hosts.

  Host venice.atnf.csiro.au
    ControlMaster auto
    ControlPath ~/.ssh/socket-%C
    # use this if your SSH version is < 6.9
    #ControlPath ~/.ssh/socket-%L-%r@%h:%p
    ServerAliveInterval  15
    ServerAliveCountMax  3

  Host *.atnf.csiro.au !venice.atnf.csiro.au
    ProxyJump venice.atnf.csiro.au

What’s going on:

The ControlMaster and ControlPath options tells SSH to set up a special ‘socket’ file that is used to channel all subsequent sessions through. The ServerAlive* options are unrelated, but useful to have.
The ProxyJump options are what tell SSH to pass later ssh connections to any ATNF machines through the special ‘socket’ file.
By default ssh looks in a specific directory (~/.ssh) for your keys and its configuration file. It’s important to get the file and directory permissions right. ssh will refuse to work if you have the permissions set too liberally.

With these config options in place, you should be able to make an initial connection that requires password and key, but subsequent connections, made from different terminal windows, can reuse that first connection.

For example:

terminal1$ ssh-add ~/.ssh/id_ed25519   #load your SSH key into ssh-agent/keychain
Enter passphrase for id_ed25519:

terminal1$ ssh venice.atnf.csiro.au
abc123@venice's password:
venice%

Then, in another window:

terminal2$ ssh venice.atnf.csiro.au
venice%

What’s going on:

In the first terminal, we open our first session to venice.atnf.csiro.au. This sets up the special socket.
In the second terminal, we open a new session, that logs in using the socket.

If the first connection is closed, the other connections will be closed as well.

Non-UNIX operating systems

Windows

Windows 10 and later comes with a SSH client program (ssh.exe). There is also the well-known PuTTY program, available for free. Both have support for password+key authentication, but unfortunately do not support the ControlPath feature mentioned above. Another option is Windows Subsystem for Linux, which does support that feature.

Android

We recommend ‘ConnectBot’ or ‘Termius’. Both are available for free, but watch out for default settings that select a ‘paid subscription’ mode.

iOS

The only suitable free option we have found so far is ‘Termius’.

SSH access – ATNF specifics