Skip to content

Configure session renegotiation for SSH client

An XCCDF Rule

Description

The RekeyLimit parameter specifies how often the session key is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line RekeyLimit to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. Make sure that there is no other RekeyLimit configuration preceding the include directive in the main config file /etc/ssh/ssh_config. Check also other files in /etc/ssh/ssh_config.d directory. Files are processed according to lexicographical order of file names. Make sure that there is no file processed before 02-rekey-limit.conf containing definition of RekeyLimit.

Rationale

By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited.

ID
xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit
Severity
Medium
References
Updated



Remediation - Ansible

- name: XCCDF Value var_ssh_client_rekey_limit_size # promote to variable
  set_fact:
    var_ssh_client_rekey_limit_size: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ssh_client_rekey_limit_size" use="legacy"/>
  tags:
    - always
- name: XCCDF Value var_ssh_client_rekey_limit_time # promote to variable

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

var_ssh_client_rekey_limit_size='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ssh_client_rekey_limit_size" use="legacy"/>'
var_ssh_client_rekey_limit_time='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ssh_client_rekey_limit_time" use="legacy"/>'