Setting SSH2 Rekeying Interval

Data transmission between server and client in each SSH2 session is encrypted using session keys.

Session keys are generated after negotiation between server and client using Diffie-Hellman algorithm (see Diffie-Hellman Overview). Cryptanalysis experts advise that it is unsafe to use the same session key to encrypt data over long periods of time. With enough captured data you could analyze the traffic and compromise the key, so it is advisable to keep changing the session keys after a certain interval.

You can configure the SSHv2 session rekeying interval by specifying a time interval and/or a data limit. After the configured time interval, the SSH server forces the client to perform a key negotiation for a new session key. This new key is used for SSH communication until the next rekeying. After configuring the SSH session rekeying time interval, configured SSH idle-timeout is disabled, so the idle-timeout occurs at the globally configured idle-timeout, instead of SSH configured idle-timeout.

Default value for data limit varies depending upon the encryption algorithm being used. For algorithms with a block size of 128-bits, data-limit is 4GB; for algorithms with a block size of 64-bits, the data limit is 1GB. This is the limitation by OpenSSH. For example, if the communication is through 3-DES algorithm and the data limit is configured at 4GB, rekeying occurs after 1GB of data is transferred. If the communication is using AES algorithm with same configuration, rekeying occurs after 4GB data is transferred. This issue does not occur if you limit the range to 1GB, instead of 4GB for the data limit.

To set the rekey interval, use the following command:

configure ssh2 rekey [time-interval [time_interval |none] |data-limit [data_size |default]]

To view your selections for rekeying, use the following commands:

show ssh2


show management