Skip to content

5.2.21 Ensure SSH LoginGraceTime is set to one minute or less

Audit#

Run the following command and verify that output LoginGraceTime is between 1 and 60 seconds or 1m: 

# sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep logingracetime

Verify the output matches: 

logingracetime 60

Run the following command and verify the output: 

# grep -Ei '^\s*LoginGraceTime\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)' /etc/ssh/sshd_config

Nothing should be returned.

Remediation#

Edit the /etc/ssh/sshd_config file to set the parameter as follows: 

LoginGraceTime 60

Default Value:

LoginGraceTime 120