Use this sshd_config file https://exampleconfig.com/view/openssh-centos7-etc-ssh-sshd_config Make sure RekeyLimit is comment-out with '#'. Add new RekeyLimit at the end of the file with time/quota limits. Save the file and restart the service. Test for rekey - see rekey does not occur. Re-edit the sshd_conf. Remove the new RekeyLimit from the end of the file and place it near the original RekeyLimit line. Save the file and restart the service. Test for rekey - see rekey occurs as expected.
Please attach debug output from a sshd server for both configurations. You can use something like "/usr/bin/sshd -ddd" to obtain this
To can also use config-test mode ("/path/to/sshd -T") to dump the effective configuration to stdout. $ cat /tmp/sshd_config RekeyLimit 3G 1h $ sudo /usr/sbin/sshd -f /tmp/sshd_config -T | grep rekeylimit rekeylimit 3221225472 3600 $ wget -O sshd_config.example http://exampleconfig.com/static/raw/openssh/centos7/etc/ssh/sshd_config $ echo "RekeyLimit 3G 1h" >>/tmp/sshd_config.example $ sudo /usr/sbin/sshd -f /tmp/sshd_config.example -T | grep rekeylimit rekeylimit 3221225472 3600 Can you provide the problematic config? Does it have an uncommented Match statement in there somewhere?
I have only commented lines in my configuration except the last one. Adding an example. The numbers are just an example. on DEBUG3 I can see messages that tries to set the Rekey to the values at the end of the file - but when I am looking for the actual Rekey messages I don't see them ----------- # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit 1G 1w # Logging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server RekeyLimit 500M 90s
I can't reproduce with the example config supplied and stock 8.8. $ wc -l /tmp/sshd_config; tail -1 /tmp/sshd_config 142 /tmp/sshd_config RekeyLimit 1M 90s with an idle client: $ sudo `pwd`/sshd -f /tmp/sshd_config -ddde -p2022 2>&1 | while read a; do echo $(date '+%H:%M:%S') $a; done | egrep -i 'newkeys|rekey' 22:25:06 debug3: /tmp/sshd_config:142 setting RekeyLimit 1M 90s 22:25:14 debug3: rexec:142 setting RekeyLimit 1M 90s 22:25:14 debug3: rekey after 1048576 bytes, 90 seconds [preauth] 22:25:14 debug2: set_newkeys: mode 1 [preauth] 22:25:14 debug1: rekey out after 131072 blocks [preauth] 22:25:14 debug1: SSH2_MSG_NEWKEYS sent [preauth] 22:25:14 debug1: expecting SSH2_MSG_NEWKEYS [preauth] 22:25:14 debug1: SSH2_MSG_NEWKEYS received [preauth] 22:25:14 debug2: set_newkeys: mode 0 [preauth] 22:25:14 debug1: rekey in after 131072 blocks [preauth] 22:25:14 debug2: set_newkeys: mode 0 22:25:14 debug1: rekey in after 131072 blocks 22:25:14 debug2: set_newkeys: mode 1 22:25:14 debug1: rekey out after 131072 blocks [... ~90s later it triggers a rekey ...] 22:26:43 debug3: ssh_packet_check_rekey: rekex triggered 22:26:43 debug2: set_newkeys: mode 1 22:26:43 debug1: ssh_set_newkeys: rekeying out, input 4532 bytes 237 blocks, output 4472 bytes 319 blocks 22:26:43 debug1: rekey out after 131072 blocks 22:26:43 debug1: SSH2_MSG_NEWKEYS sent 22:26:43 debug1: expecting SSH2_MSG_NEWKEYS 22:26:43 debug1: SSH2_MSG_NEWKEYS received 22:26:43 debug2: set_newkeys: mode 0 22:26:43 debug1: ssh_set_newkeys: rekeying in, input 4544 bytes 238 blocks, output 4472 bytes 0 blocks 22:26:43 debug1: rekey in after 131072 blocks and with a client that dd's 1MB of stuff, we can also see it rekey ~immediately: $ sudo `pwd`/sshd -f /tmp/sshd_config -ddde -p2022 2>&1 | while read a; do echo $(date '+%H:%M:%S') $a; done | egrep -i 'newkeys' 22:40:40 debug2: set_newkeys: mode 1 [preauth] 22:40:40 debug1: SSH2_MSG_NEWKEYS sent [preauth] 22:40:40 debug1: expecting SSH2_MSG_NEWKEYS [preauth] 22:40:40 debug1: SSH2_MSG_NEWKEYS received [preauth] 22:40:40 debug2: set_newkeys: mode 0 [preauth] 22:40:40 debug2: set_newkeys: mode 0 22:40:40 debug2: set_newkeys: mode 1 22:40:40 debug2: set_newkeys: mode 1 22:40:40 debug1: ssh_set_newkeys: rekeying out, input 4392 bytes 216 blocks, output 922664 bytes 115070 blocks 22:40:40 debug1: SSH2_MSG_NEWKEYS sent 22:40:40 debug1: expecting SSH2_MSG_NEWKEYS 22:40:40 debug1: SSH2_MSG_NEWKEYS received 22:40:40 debug2: set_newkeys: mode 0 22:40:40 debug1: ssh_set_newkeys: rekeying in, input 4404 bytes 217 blocks, output 939068 bytes 2050 blocks