Client-keep-alive interaction with time-based rekeying

Giladov, Emil egiladov at ciena.com
Thu Feb 4 08:25:25 AEDT 2021


I recently updated openssh from 7.9 to 8.4 and noticed that the time-based rekeying doesn't happen automatically on idle connections until a packet is sent from the client.
I was able to narrow it down to this commit in 8.0:


commit 21da87f439b48a85b951ef1518fe85ac0273e719

Author: djm at openbsd.org<mailto:djm at openbsd.org> <djm at openbsd.org<mailto:djm at openbsd.org>>

Date:   Wed Mar 27 09:29:14 2019 +0000



    upstream: fix interaction between ClientAliveInterval and RekeyLimit



    that could cause connection to close incorrectly; Report and patch from Jakub

    Jelen in bz#2757; ok dtucker@ markus@



    OpenBSD-Commit-ID: 17229a8a65bd8e6c2080318ec2b7a61e1aede3fb



diff --git a/serverloop.c b/serverloop.c

index f86f832b..d7b04b37 100644

--- a/serverloop.c

+++ b/serverloop.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: serverloop.c,v 1.214 2019/03/06 21:06:59 dtucker Exp $ */

+/* $OpenBSD: serverloop.c,v 1.215 2019/03/27 09:29:14 djm Exp $ */

 /*

  * Author: Tatu Ylonen <ylo at cs.hut.fi<mailto:ylo at cs.hut.fi>>

  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi<mailto:ylo at cs.hut.fi>>, Espoo, Finland

@@ -248,9 +248,10 @@ wait_until_can_do_something(struct ssh *ssh,

                uint64_t keepalive_ms =

                    (uint64_t)options.client_alive_interval * 1000;



-               client_alive_scheduled = 1;

-               if (max_time_ms == 0 || max_time_ms > keepalive_ms)

+               if (max_time_ms == 0 || max_time_ms > keepalive_ms) {

                        max_time_ms = keepalive_ms;

+                       client_alive_scheduled = 1;

+               }

        }
My config includes the following:

RekeyLimit default 10
ClientAliveInterval 15

>From my experiments, this prevents the client-keep-alive from triggering when it is time for the rekeying to happen.
I was able to put the RekeyLimit to 35, and I observed the keep alive messages being sent to the client twice, but radio silence afterwards.
I couldn't find any discussion on this, but is this a known issue?





More information about the openssh-unix-dev mailing list