Bug ID 655500: Rekey SSH sessions after one hour

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.2 HF1

Opened: Apr 05, 2017
Severity: 1-Blocking


Common Criteria requires that SSH session be rekeyed at least every hour


SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time


SSH connections to or from the BIG-IP system.


If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following: tmsh modify sys sshd include 'RekeyLimit 256M 3600s' Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.

Fix Information

SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.

Behavior Change