[Bug 3381] RekeyLimit mechanism does not work if it is defined at the end of the file

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jan 18 22:52:09 AEDT 2022 

https://bugzilla.mindrot.org/show_bug.cgi?id=3381

--- Comment #4 from Darren Tucker <dtucker at dtucker.net> ---
I can't reproduce with the example config supplied and stock 8.8.

$ wc -l /tmp/sshd_config; tail -1 /tmp/sshd_config 
142 /tmp/sshd_config
RekeyLimit 1M 90s

with an idle client:

$ sudo `pwd`/sshd -f /tmp/sshd_config -ddde -p2022 2>&1 | while read a;
do echo $(date '+%H:%M:%S') $a; done | egrep -i 'newkeys|rekey'
22:25:06 debug3: /tmp/sshd_config:142 setting RekeyLimit 1M 90s
22:25:14 debug3: rexec:142 setting RekeyLimit 1M 90s
22:25:14 debug3: rekey after 1048576 bytes, 90 seconds [preauth]
22:25:14 debug2: set_newkeys: mode 1 [preauth]
22:25:14 debug1: rekey out after 131072 blocks [preauth]
22:25:14 debug1: SSH2_MSG_NEWKEYS sent [preauth]
22:25:14 debug1: expecting SSH2_MSG_NEWKEYS [preauth]
22:25:14 debug1: SSH2_MSG_NEWKEYS received [preauth]
22:25:14 debug2: set_newkeys: mode 0 [preauth]
22:25:14 debug1: rekey in after 131072 blocks [preauth]
22:25:14 debug2: set_newkeys: mode 0
22:25:14 debug1: rekey in after 131072 blocks
22:25:14 debug2: set_newkeys: mode 1
22:25:14 debug1: rekey out after 131072 blocks
[... ~90s later it triggers a rekey ...]
22:26:43 debug3: ssh_packet_check_rekey: rekex triggered
22:26:43 debug2: set_newkeys: mode 1
22:26:43 debug1: ssh_set_newkeys: rekeying out, input 4532 bytes 237
blocks, output 4472 bytes 319 blocks
22:26:43 debug1: rekey out after 131072 blocks
22:26:43 debug1: SSH2_MSG_NEWKEYS sent
22:26:43 debug1: expecting SSH2_MSG_NEWKEYS
22:26:43 debug1: SSH2_MSG_NEWKEYS received
22:26:43 debug2: set_newkeys: mode 0
22:26:43 debug1: ssh_set_newkeys: rekeying in, input 4544 bytes 238
blocks, output 4472 bytes 0 blocks
22:26:43 debug1: rekey in after 131072 blocks

and with a client that dd's 1MB of stuff, we can also see it rekey
~immediately:

$ sudo `pwd`/sshd -f /tmp/sshd_config -ddde -p2022 2>&1 | while read a;
do echo $(date '+%H:%M:%S') $a; done | egrep -i 'newkeys'
22:40:40 debug2: set_newkeys: mode 1 [preauth]
22:40:40 debug1: SSH2_MSG_NEWKEYS sent [preauth]
22:40:40 debug1: expecting SSH2_MSG_NEWKEYS [preauth]
22:40:40 debug1: SSH2_MSG_NEWKEYS received [preauth]
22:40:40 debug2: set_newkeys: mode 0 [preauth]
22:40:40 debug2: set_newkeys: mode 0
22:40:40 debug2: set_newkeys: mode 1
22:40:40 debug2: set_newkeys: mode 1
22:40:40 debug1: ssh_set_newkeys: rekeying out, input 4392 bytes 216
blocks, output 922664 bytes 115070 blocks
22:40:40 debug1: SSH2_MSG_NEWKEYS sent
22:40:40 debug1: expecting SSH2_MSG_NEWKEYS
22:40:40 debug1: SSH2_MSG_NEWKEYS received
22:40:40 debug2: set_newkeys: mode 0
22:40:40 debug1: ssh_set_newkeys: rekeying in, input 4404 bytes 217
blocks, output 939068 bytes 2050 blocks

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list