Use Public Key Authentication for SSH Access
Ensure SSH connections use public key authentication for enhanced security.
Plain language
This control requires that when someone connects to your systems over the internet using a Secure Shell (SSH), they should use a special digital key instead of just a password. This matters because passwords can be guessed or stolen, but a digital key is much harder for attackers to crack, keeping your systems safer from unauthorised access.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Public key-based authentication is used for SSH connections.
Why it matters
Without public key SSH authentication, passwords can be stolen or brute-forced, enabling unauthorised access.
Operational notes
Audit authorised_keys regularly, remove stale keys, and enforce key-only SSH (disable PasswordAuthentication).
Implementation tips
- The IT team should generate a unique pair of SSH keys for each user who needs access. This means creating a public key and a private key using SSH software and securely distributing them to users while keeping the private key secret.
- System owners should make sure their systems are configured to accept only public key authentication. This involves editing the SSH configuration file on each server to disable password login and allow only key-based access.
- IT managers should educate users on how to securely store their private keys. This means explaining that keys should be kept on a secure device, such as their work computer, and not shared or emailed to anyone.
- The HR department should work with IT to update employee onboarding and offboarding processes. This involves assigning SSH keys to new employees and revoking them promptly when employees leave.
- Cyber security leads should schedule regular checks to ensure keys are in use and not lost. This can involve periodically reviewing a list of active keys and verifying if users still need them for their roles.
Audit / evidence tips
-
Askthe SSH configuration files of critical systems to review authentication settings. Look to see if password login is disabled and SSH key authentication is enabled
Goodshows password authentication off and key authentication on
-
Goodincludes a list matching current, verified employees to their respective keys
-
Askto see records of key distribution and training
Goodprovides recent dates and specific details of the distribution and training activities
-
Goodwill show key-based logins and no password entry attempts
-
Askto see evidence of key revocation for former employees
Goodincludes documented removal within 24 hours of departure
Cross-framework mappings
How ISM-0485 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.17 | ISM-0485 requires that SSH connections use public key-based authentication rather than weaker authentication methods | |
| Annex A 8.5 | ISM-0485 requires the use of public key authentication specifically for SSH access to harden remote administration and system access paths | |
| handshake Supports (1) expand_less | ||
| Annex A 8.3 | ISM-0485 requires SSH access to be authenticated using public keys, reducing the likelihood of unauthorised access via brute force or cre... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.