Disable Certain Features for Passwordless SSH Logins
When logging in without a password via SSH, certain access features like port forwarding and X11 are disabled to enhance security.
Plain language
This control is about making sure certain features are turned off when people connect to your systems without a password using SSH (a way to remotely log in to computers). By turning off features like port forwarding and X11 forwarding, you reduce the risk of someone using these features to gain unauthorised access to your network or perform harmful actions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
When using logins without a password for SSH connections, the following are disabled: - access from IP addresses that do not require access - port forwarding - agent credential forwarding - X11 forwarding - console access.
Why it matters
If passwordless SSH features (port/X11/agent/console/unauthorised IP access) aren’t disabled, attackers can pivot and access internal systems covertly.
Operational notes
Regularly review sshd_config and SSH key options (from=, no-port-forwarding, no-agent-forwarding, no-X11-forwarding, no-pty) to keep passwordless logins restricted.
Implementation tips
- System administrators should configure the server settings to disable port forwarding for passwordless SSH logins. This can be done by editing the SSH configuration file to include 'AllowTcpForwarding no'. Save the changes and restart the SSH service to apply them.
- The IT team should ensure X11 forwarding is disabled for passwordless SSH sessions. Edit the SSH configuration file to set 'X11Forwarding no', save the file, and restart the SSH service.
- Network security personnel should disable agent forwarding for passwordless SSH. This involves setting 'AllowAgentForwarding no' in the SSH configuration file, saving the changes, and restarting the SSH service.
- System owners need to regularly review the list of IP addresses allowed to connect via SSH. Ensure only necessary and authorised IP addresses are listed, and remove any outdated or unnecessary entries.
- The IT security team should disable console access for passwordless SSH by configuring the system to deny shell access for passwordless logins, ensuring users cannot open an interactive shell session.
Audit / evidence tips
-
Askthe SSH server configuration file: Request a copy or a demonstration of the SSH configuration file for the systems in question
Goodshows all these settings as 'no' for passwordless SSH
-
Aska list of authorised IP addresses: Request a current list of IP addresses permitted to connect via SSH without a password
Goodmeans all listed IPs are documented and have been reviewed recently
-
Asklogs of SSH connection attempts: Request recent connection logs to see which IP addresses have attempted or succeeded in passwordless logins
Goodshows that only authorised IPs are connecting
-
Askevidence of configuration changes: Request documentation or logs that show when the SSH configuration was last changed
Goodincludes recent updates to disable forwarding features
-
Asksystem access policy reviews: Request documents or meeting notes from regular reviews of system access policies
Goodwill show regular assessments and updates
Cross-framework mappings
How ISM-0487 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-0487 requires organisations to harden passwordless SSH logins by disabling specific SSH capabilities such as port forwarding, agent f... | |
| Annex A 8.9 | ISM-0487 requires specific security configurations for SSH in passwordless scenarios, including disabling forwarding and limiting access ... | |
| handshake Supports (1) expand_less | ||
| Annex A 6.7 | ISM-0487 mandates disabling high-risk SSH features for passwordless logins, reducing the remote administrative access attack surface | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.