Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
12.1.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0, 12.1.2 HF1
Opened: Apr 05, 2017 Severity: 1-Blocking
Common Criteria requires that SSH session be rekeyed at least every hour
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time
SSH connections to or from the BIG-IP system.
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following: tmsh modify sys sshd include 'RekeyLimit 256M 3600s' Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.
SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.