Page MenuHomeVyOS Platform

SSH ability to configure RekeyLimit
Closed, ResolvedPublicFEATURE REQUEST


SSH ability to configure RekeyLimit

        Specifies the maximum amount of data that may be
        transmitted before the session key is renegotiated,
        optionally followed by a maximum amount of time that may
        pass before the session key is renegotiated.  The first
        argument is specified in bytes and may have a suffix of
        ‘K’, ‘M’, or ‘G’ to indicate Kilobytes, Megabytes, or
        Gigabytes, respectively.  The default is between ‘1G’ and
        ‘4G’, depending on the cipher.  The optional second value
        is specified in seconds and may use any of the units
        documented in the TIME FORMATS section.  The default value
        for RekeyLimit is default none, which means that rekeying
        is performed after the cipher's default amount of data has
        been sent or received and no time based rekeying is done.


FCS_SSHS_EXT.1.8 The TSF shall ensure that within SSH connections, the same session
keys are used for a threshold of no longer than one hour, and each encryption key is used to
protect no more than one gigabyte of data. After any of the thresholds are reached, a rekey
needs to be performed.

Proposed syntax:

set service ssh rekey-limit data xxx
set service ssh rekey-limit time xxx


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

ResolvedFEATURE REQUESTViacheslav

Event Timeline

Viacheslav changed the task status from Open to In progress.EditedSep 27 2022, 4:11 PM
Viacheslav claimed this task.


set service ssh rekey data '1024'
set service ssh rekey time '60'
Viacheslav changed the task status from In progress to Needs testing.Oct 10 2022, 7:33 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.