We are making a change to how we provide SSH access.
The change will occur on Tuesday 1 July 2025 (UTC+1000).
The change is being introduced to improve security and better align with Australian Government requirements.
What’s changing
The changes will apply only to our external gateway machines:
- venice.atnf.csiro.au
- orion.atnf.csiro.au
Instead of users being able to log in with a password or a SSH key,
we are going to require users to use both a password and a SSH key.
This will apply to all users (staff, students and visitors), when they connect to orion or venice from a network outside of CSIRO. This will not apply to people connecting via CSIRO VPN.
This will introduce some complexity, which this page will help you to address.
Why the change
We need to have some kind of multi-factor authentication in place to comply with Australian Government requirements.
Next steps
- Key-based logins: Everyone will need to set up a SSH key for login.
- Change to password+key authentication
- (optional) Changes to your personal SSH configuration
The instructions below are mainly aimed at users of UNIX-like operating systems (e.g. Linux, MacOS) . We have some brief notes for users of other systems.
Key-based logins
Most people will have done this already. We recommend you get this working before the change occurs.
Password + key authentication
Once this has been turned on, the login process looks like this:
laptop$ ssh abc123@venice.atnf.csiro.au
Enter passphrase for key ~/.ssh/id_ed25519:
abc123@venice.atnf.csiro.au's password:
venice%
The first prompt is for the passphrase to unlock your private key, located on your computer. (If there are no keys in the default location, you won’t see that prompt – and won’t be able to log in.) The second prompt is for the password on venice.
We can streamline this further with some configuration changes, described below.
Configuration changes (optional)
Note that this applies on your personal machine, not on venice or orion.
Add these lines to your ~/.ssh/config and remove any other lines that refer to ATNF hosts.
Host venice.atnf.csiro.au
ControlMaster auto
ControlPath ~/.ssh/socket-%C
# use this if your SSH version is < 6.9
#ControlPath ~/.ssh/socket-%L-%r@%h:%p
ServerAliveInterval 15
ServerAliveCountMax 3
Host *.atnf.csiro.au !venice.atnf.csiro.au
ProxyJump venice.atnf.csiro.au
What’s going on:
- The ControlMaster and ControlPath options tells SSH to set up a special ‘socket’ file that is used to channel all subsequent sessions through. The ServerAlive* options are unrelated, but useful to have.
- The
ProxyJump
options are what tell SSH to pass later ssh connections to any ATNF machines through the special ‘socket’ file. - By default ssh looks in a specific directory (~/.ssh) for your keys and its configuration file. It’s important to get the file and directory permissions right. ssh will refuse to work if you have the permissions set too liberally.
With these config options in place, you should be able to make an initial connection that requires password and key, but subsequent connections, made from different terminal windows, can reuse that first connection.
For example:
terminal1$ ssh-add ~/.ssh/id_ed25519 #load your SSH key into ssh-agent/keychain
Enter passphrase for id_ed25519:
terminal1$ ssh venice.atnf.csiro.au
abc123@venice's password:
venice%
Then, in another window:
terminal2$ ssh venice.atnf.csiro.au
venice%
What’s going on:
- In the first terminal, we open our first session to venice.atnf.csiro.au. This sets up the special socket.
- In the second terminal, we open a new session, that logs in using the socket.
If the first connection is closed, the other connections will be closed as well.
Non-UNIX operating systems
Windows
Windows 10 and later comes with a SSH client program (ssh.exe). There is also the well-known PuTTY program, available for free. Both have support for password+key authentication, but unfortunately do not support the ControlPath feature mentioned above. Another option is Windows Subsystem for Linux, which does support that feature.
Android
We recommend ‘ConnectBot’ or ‘Termius’. Both are available for free, but watch out for default settings that select a ‘paid subscription’ mode.
iOS
The only suitable free option we have found so far is ‘Termius’.