← Rules Catalog
mediumaccess-controlverified rollback-safe

Set SSH login grace time

ssh-login-grace-time · RHEL ≥ 8 · 2 impls

Description

The SSH daemon must disconnect clients that have not completed authentication within a defined time period. LoginGraceTime sets the maximum number of seconds allowed for a client to authenticate before the server terminates the connection.

Rationale

A long or unlimited login grace period allows an attacker to hold open unauthenticated connections indefinitely, consuming daemon resources and potentially facilitating denial-of-service attacks. Setting the grace time to 60 seconds or less ensures abandoned or malicious connections are promptly reclaimed.

Check → Remediate

Checksshd_effective_config
key:
logingracetime
expected:
60
Remediateconfig_set
path:
/etc/ssh/sshd_config
key:
LoginGraceTime
value:
60
separator:
reload:
sshd

Framework references

CIS

rhel10 5.1.13rhel8 5.1.15rhel9 5.1.14

NIST 800-53

AC-12CM-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#ssh#session-management#timeout