Detections
Analytics

5.1.37 Ensure sshd RekeyLimit is configured

Information

The operating system must force a frequent session key renegotiation for SSH connections to the server.

RekeyLimit Specifies the maximum amount of data that may be transmitted before the session key is renegotiated, optionally followed a maximum amount of time that may pass before the session key is renegotiated. The first argument is specified in bytes and may have a suffix of K, M, or G to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between 1G and 4G, depending on the cipher. The optional second value is specified in seconds and may use any of the units documented in the TIME FORMATS section. The default value for RekeyLimit is default none, which means that rekeying is performed after the cipher's default amount of data has been sent or received and no time based rekeying is done.

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.

Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.

Session key regeneration limits the chances of a session key becoming compromised.

Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000420-GPOS-00186, SRG-OS-000424-GPOS-00188

Solution

Configure the system to force a frequent session key renegotiation for SSH connections to the server.

Edit the /etc/ssh/sshd_config file to set the RekeyLimit parameter to 1G 1h above any Include and Match entries as follows:

RekeyLimit 1G 1h

Note: First occurrence of a option takes precedence, Match set statements withstanding. If Include locations are enabled, used, and order of precedence is understood in your environment, the entry may be created in a file in Include location.

Restart the SSH daemon for the settings to take effect.

# systemctl reload-or-restart sshd.service

See Also

https://workbench.cisecurity.org/benchmarks/19886

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17, CSCv7|14.4

Plugin: Unix

Control ID: 4ee1b4a6720f5dc1a2c8ae541164c940f6fb8a985d1c34f60b68e705960699a1