Bug ID 655500: Rekey SSH sessions after one hour

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.2 HF1

Opened: Apr 05, 2017
Severity: 1-Blocking

Symptoms

Common Criteria requires that SSH session be rekeyed at least every hour

Impact

SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time

Conditions

SSH connections to or from the BIG-IP system.

Workaround

If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following: tmsh modify sys sshd include 'RekeyLimit 256M 3600s' Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.

Fix Information

SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.

Behavior Change