4.6.3.17 Ensure sshd ReKeyLimit is configured

Information

This variable specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed by a maximum amount of time that may pass before the session key is renegotiated.

This recommendation is based on the guidelines outlined in Chapter 9 in [RFC4253], i.e. the recommendation is to release/renew Session keys after one hour or after the transfer of one gigabyte (depending on whichever comes first).

Solution

Edit the /etc/ssh/sshd_config file to set the parameter as follows:

RekeyLimit 1G 3600

See Also

https://workbench.cisecurity.org/benchmarks/19066

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|CM-7, 800-53|IA-5, 800-53|IA-5(1), 800-53|MA-4, 800-53|SC-8, 800-53|SC-8(1), CSCv7|9.2, CSCv7|14.4

Plugin: Unix

Control ID: 7a2dc92f8db9fa7ada03ef651477a41b6e3392805362470317421814f482e972