mediumaccess-controlverified ✓rollback-safe
Set SSH rekey limit
ssh-rekey-limit · RHEL ≥ 8 · 2 impls
Description
The SSH daemon must force renegotiation of session encryption keys after a defined amount of data or time. RekeyLimit ensures that session keys are refreshed periodically, limiting the amount of data encrypted under any single key.
Rationale
Long-lived session keys increase the volume of traffic available for cryptanalysis. If an attacker captures encrypted SSH traffic, a rekey limit of 1 gigabyte and 1 hour ensures that the practical window for any key-recovery attack is bounded, protecting the confidentiality of data transmitted over long-running sessions.
Check → Remediate
Checksshd_effective_config
- key:
- rekeylimit
- expected:
- 1073741824 3600
Remediateconfig_set
- path:
- /etc/ssh/sshd_config
- key:
- RekeyLimit
- value:
- 1G 1h
- separator:
- reload:
- sshd
Framework references
STIG
V-230527 / RHEL-08-040161V-281268 / RHEL-10-700650
NIST 800-53
SC-13AC-17(2)
Live verification
rhel10:checkrhel8:check
#ssh#cryptography#rekey