mediumaccess-controlverified ✓rollback-safe
Set SSH login grace time
ssh-login-grace-time · RHEL ≥ 8 · 2 impls
Description
The SSH daemon must disconnect clients that have not completed authentication within a defined time period. LoginGraceTime sets the maximum number of seconds allowed for a client to authenticate before the server terminates the connection.
Rationale
A long or unlimited login grace period allows an attacker to hold open unauthenticated connections indefinitely, consuming daemon resources and potentially facilitating denial-of-service attacks. Setting the grace time to 60 seconds or less ensures abandoned or malicious connections are promptly reclaimed.
Check → Remediate
Checksshd_effective_config
- key:
- logingracetime
- expected:
- 60
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- LoginGraceTime
- value:
- 60
- separator:
- reload:
- sshd
Framework references
CIS
rhel10 5.1.13rhel8 5.1.15rhel9 5.1.14
NIST 800-53
AC-12CM-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#ssh#session-management#timeout