SSH-Agent Key Expiry and Screen Lock Requirements
SSH-agent caches must be used on systems with screen locks and expire after 4 hours of inactivity.
Plain language
This control is about making sure any stored SSH keys, which are used to access systems securely, expire after four hours of inactivity and are only used on devices with screen locks. This is important because if someone forgets to lock their screen or leaves their machine unattended, a malicious person could gain access to sensitive data or systems if the keys are still active.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
When SSH-agent or similar key caching applications are used, it is limited to workstations and servers with screen locks and key caches that are set to expire within four hours of inactivity.
Why it matters
Without 4-hour SSH-agent key cache expiry and screen locks, unattended sessions may allow unauthorised SSH access, leading to data breaches and loss of system integrity.
Operational notes
Configure SSH-agent key cache expiry to 4 hours of inactivity and enforce workstation/server screen locks. Regularly verify timeout and lock settings (e.g., quarterly) to maintain compliance.
Implementation tips
- The IT team should configure SSH-agent settings to ensure that key caches expire after four hours of inactivity. They can do this by updating the configuration files on each workstation and server to include this expiry limit.
- Office managers should ensure that all office computers have screen locks enabled. They can achieve this by working with IT to implement automatic screen-lock policies across all devices, which lock screens after a short period of inactivity.
- IT staff should regularly check and update the operating systems and SSH-agent software on all devices. This ensures that any security updates or patches are applied that might impact how key caching works.
- System administrators should educate users about the importance of manual screen locking whenever they step away from their computers. They can run short training sessions or provide simple step-by-step guides on how to manually lock screens on different operating systems.
- IT managers should establish a routine audit process to verify that all devices comply with screen lock and SSH-agent key expiry policies. This might include random checks or scheduled reviews with a focus on monitoring and reporting compliance.
Audit / evidence tips
- AskSystem configuration files related to SSH-agent settings: Request the configuration files on a selected sample of workstations and servers GoodShows the expiry time set to four hours or less
- AskTo see the screen lock policy for office computers: Request a document or demonstration of the automatic screen lock settings GoodIncludes screen locks set to engage within a reasonable period, like five minutes
- AskLogs or reports on system updates GoodIncludes recent updates within the last month that ensure the latest security measures are in place
- AskTo see user training materials on screen locking: Request a copy of training modules or guides provided to users GoodIncludes regular training updates and records of attendance
- AskAudit reports that summarise compliance checks: Request documentation of recent compliance audits on screen locks and key expiry GoodIncludes a summary showing all systems checked and compliant with the policies
Cross-framework mappings
How ISM-0489 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.15 | ISM-0489 requires that where SSH-agent (or similar) key caching is used, it is only on workstations/servers with screen locks and the key... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.