Question about RekeyLimit enforcement before authentication (FCS_SSH_EXT.1.8)
Darren Tucker
dtucker at dtucker.net
Tue Dec 23 10:21:44 AEDT 2025
On Tue, 23 Dec 2025 at 09:53, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 22 Dec 2025, faezeh dehghan wrote:
>
> > Dear OpenSSH maintainers,
> >
> > I am currently going through a security certification process where my
> > system is required to satisfy the requirement *FCS_SSH_EXT.1.8*.
> >
> > To configure this, I have set the following option on the server side:
> >
> > RekeyLimit 1h 1G
> >
> > The test laboratory verifies this requirement *before authentication*.
> > Their test procedure is roughly as follows:
>
> OpenSSH does not support rekeying before authentication completes.
> This keeps our preauthentication code simple.
>
> Authentication duration is bounded by LoginGraceTime (default 2m), so
> it's unlikely that time-based rekeying will ever happen unless the
> defaults have been radically overridden.
>
BTW if I'm reading this correctly:
https://commoncriteria.github.io/pp/ssh/ssh-release.html
"""
The TSF shall ensure that [selection: a rekey of the session keys, [or]
connection termination] occurs when any of the following thresholds are met:
one hour connection time
[...]
It is acceptable for a TOE to implement lower thresholds than the maximum
values defined in the SFR.
"""
The default "LoginGraceTime 2m" causes a connection termination, which is
one of the specified behaviours, after 2 minutes, which is less than the
specified time, and this lower time threshold is acceptable. Thus the
default configuration already meets this time-based rekeying spec, and you
would need to increase LoginGraceTime a considerable amount in order to
cause it to not meet that spec.
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list