Configure session renegotiation for SSH client

Description

The RekeyLimit parameter specifies how often the session key is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line RekeyLimit to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. Make sure that there is no other RekeyLimit configuration preceding the include directive in the main config file /etc/ssh/ssh_config. Check also other files in /etc/ssh/ssh_config.d directory. Files are processed according to lexicographical order of file names. Make sure that there is no file processed before 02-rekey-limit.conf containing definition of RekeyLimit.

Rationale

By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited.

ID: xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
Severity: Medium
References: CCI-000068

FCS_SSH_EXT.1.8

SRG-OS-000033-GPOS-00014 SRG-OS-000423-GPOS-00187 SRG-OS-000424-GPOS-00188
Updated: about 1 year ago