{"description": "The <tt>RekeyLimit</tt> parameter specifies how often\nthe session key is renegotiated, both in terms of\namount of data that may be transmitted and the time\nelapsed. To decrease the default limits, put line\n<tt>RekeyLimit <sub idref=\"var_ssh_client_rekey_limit_size\" /> <sub idref=\"var_ssh_client_rekey_limit_time\" /></tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.\nMake sure that there is no other <tt>RekeyLimit</tt> configuration preceding\nthe <tt>include</tt> directive in the main config file\n<tt>/etc/ssh/ssh_config</tt>. Check also other files in\n<tt>/etc/ssh/ssh_config.d</tt> directory. Files are processed according to\nlexicographical order of file names. Make sure that there is no file\nprocessed before <tt>02-rekey-limit.conf</tt> containing definition of\n<tt>RekeyLimit</tt>.", "rationale": "By decreasing the limit based on the amount of data and enabling\ntime-based limit, effects of potential attacks against\nencryption keys are limited.", "severity": "medium", "references": {"ospp": ["FCS_SSH_EXT.1.8"], "srg": ["SRG-OS-000423-GPOS-00187", "SRG-OS-000033-GPOS-00014", "SRG-OS-000424-GPOS-00188"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it is commented out or is not set", "ocil": "To check if RekeyLimit is set correctly, run the following command:\n<pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre>\nIf configured properly, output should be\n<pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf:\nRekeyLimit <sub idref=\"var_ssh_client_rekey_limit_size\" /> <sub idref=\"var_ssh_client_rekey_limit_time\" /></pre>\nCheck also the main configuration file with the following command:\n<pre>$ sudo grep RekeyLimit /etc/ssh/ssh_config</pre>\nThe command should not return any output.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the \"/etc/ssh/sshd_config\" file:\n\nRekeyLimit <sub idref=\"var_ssh_client_rekey_limit_size\" /> <sub idref=\"var_ssh_client_rekey_limit_time\" />\n\nRestart the SSH daemon for the settings to take effect.\n\n$ sudo systemctl restart sshd.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must force a frequent session key renegotiation for SSH connections to the server.", "vuldiscussion": "Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.\n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.\n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\nSession key regeneration limits the chances of a session key becoming compromised.", "checktext": "Verify the SSH server is configured to force frequent session key renegotiation with the following command:\n\n$ sudo grep -i rekeyLimit /etc/ssh/sshd_config\n\nRekeyLimit 1G 1h\n\nIf \"RekeyLimit\" does not have a maximum data amount and maximum time defined, is missing or commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the \"/etc/ssh/sshd_config\" file:\n\nRekeyLimit 1G 1h\n\nRestart the SSH daemon for the settings to take effect.\n\n$ sudo systemctl restart sshd.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure session renegotiation for SSH client", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml", "template": null}