← Rules Catalog
mediumaccess-controlverified rollback-safe

Set SSH rekey limit

ssh-rekey-limit · RHEL ≥ 8 · 2 impls

Description

The SSH daemon must force renegotiation of session encryption keys after a defined amount of data or time. RekeyLimit ensures that session keys are refreshed periodically, limiting the amount of data encrypted under any single key.

Rationale

Long-lived session keys increase the volume of traffic available for cryptanalysis. If an attacker captures encrypted SSH traffic, a rekey limit of 1 gigabyte and 1 hour ensures that the practical window for any key-recovery attack is bounded, protecting the confidentiality of data transmitted over long-running sessions.

Check → Remediate

Checksshd_effective_config
key:
rekeylimit
expected:
1073741824 3600
Remediateconfig_set
path:
/etc/ssh/sshd_config
key:
RekeyLimit
value:
1G 1h
separator:
reload:
sshd

Framework references

STIG

V-230527 / RHEL-08-040161V-281268 / RHEL-10-700650

NIST 800-53

SC-13AC-17(2)

Live verification

rhel10:checkrhel8:check
#ssh#cryptography#rekey