Use Forced Commands for SSH Without Passwords
Ensure SSH without passwords uses specific commands and checks parameters for security.
Plain language
This control ensures that when people or systems connect remotely to your computer network without typing a password, they can only run specific, pre-approved actions. This is important because if someone manages to break in, they can't use the open connection to cause harm unless they do something we've already allowed. It's like giving someone a key to enter your business, but making sure all the important rooms are still locked.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
If using remote access without the use of a password for SSH connections, the 'forced command' option is used to specify what command is executed and parameter checking is enabled.
Why it matters
Without SSH forced commands and parameter checking for key-based logins, a stolen key can be used to run arbitrary commands and escalate access on the host.
Operational notes
Regularly audit `authorized_keys` for `command="..."` and validate parameter checking; alert on any key-based access that lacks a forced command restriction.
Implementation tips
- IT team should configure the SSH server to enforce 'forced commands' on the user accounts used for remote connections. This involves setting up specific rules on the server that specify which commands can be executed when this type of connection is made.
- The IT manager should update organisational policies to include the use of 'forced commands' for any SSH access that doesn't require a password. This means adding a requirement for these rules in any documents that cover remote access procedures.
- IT staff should regularly review and update the list of allowed commands for SSH connections. They can do this by accessing the server, checking the configuration files where these commands are listed, and ensuring they still align with what's needed for business operations.
- The system owner should hold a workshop with the IT team to understand what tasks require SSH access without passwords and design the forced command scripts accordingly. This involves discussing which operations need automated access and what commands should be authorised during these sessions.
- Supervisors should work with the IT team to ensure any new SSH keys generated for passwordless access automatically apply forced commands. This involves creating a checklist or process document that reminds staff how to set up these commands whenever they create a new key.
Audit / evidence tips
-
Askthe server configuration file: Request the file that dictates SSH behaviour on the server
Goodwould display clear command restrictions tied to specific user accounts
-
Askprocedural documents on remote access: Request organisational policies describing the use of forced commands
Goodshows that forced commands are a standard part of the practice
-
Asklogs showing SSH access: Request logs from the SSH server
Goodshows recorded activity matching authorised operations only
-
Asknotes from a recent forced command review: Request documentation from meetings where forced commands were evaluated
Goodincludes identified improvements and action items noted during the meeting
-
Aska demonstration of SSH setup on a test environment: Request to see how forced commands are implemented during the key setup process
Goodshows a test user only executing approved commands
Cross-framework mappings
How ISM-0488 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 6.7 | ISM-0488 requires that when SSH is used without passwords, organisations restrict what can be executed via SSH keys by using SSH 'forced ... | |
| Annex A 8.3 | ISM-0488 requires restricting SSH key-based remote access by enforcing a specific command and validating parameters to prevent unauthoris... | |
| Annex A 8.5 | ISM-0488 addresses secure use of SSH authentication without passwords by constraining authorised SSH key usage to a forced command and ch... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML3.1 | ISM-0488 requires limiting SSH key-based remote access by forcing a specific command and validating parameters, reducing the effective pr... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.