Giladov, Emil
2021-Feb-03 21:25 UTC
Client-keep-alive interaction with time-based rekeying
I recently updated openssh from 7.9 to 8.4 and noticed that the time-based
rekeying doesn't happen automatically on idle connections until a packet is
sent from the client.
I was able to narrow it down to this commit in 8.0:
commit 21da87f439b48a85b951ef1518fe85ac0273e719
Author: djm at openbsd.org<mailto:djm at openbsd.org> <djm at
openbsd.org<mailto:djm at openbsd.org>>
Date: Wed Mar 27 09:29:14 2019 +0000
upstream: fix interaction between ClientAliveInterval and RekeyLimit
that could cause connection to close incorrectly; Report and patch from
Jakub
Jelen in bz#2757; ok dtucker@ markus@
OpenBSD-Commit-ID: 17229a8a65bd8e6c2080318ec2b7a61e1aede3fb
diff --git a/serverloop.c b/serverloop.c
index f86f832b..d7b04b37 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.214 2019/03/06 21:06:59 dtucker Exp $ */
+/* $OpenBSD: serverloop.c,v 1.215 2019/03/27 09:29:14 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi<mailto:ylo at cs.hut.fi>>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi<mailto:ylo at
cs.hut.fi>>, Espoo, Finland
@@ -248,9 +248,10 @@ wait_until_can_do_something(struct ssh *ssh,
uint64_t keepalive_ms
(uint64_t)options.client_alive_interval * 1000;
- client_alive_scheduled = 1;
- if (max_time_ms == 0 || max_time_ms > keepalive_ms)
+ if (max_time_ms == 0 || max_time_ms > keepalive_ms) {
max_time_ms = keepalive_ms;
+ client_alive_scheduled = 1;
+ }
}
My config includes the following:
RekeyLimit default 10
ClientAliveInterval 15
>From my experiments, this prevents the client-keep-alive from triggering
when it is time for the rekeying to happen.
I was able to put the RekeyLimit to 35, and I observed the keep alive messages
being sent to the client twice, but radio silence afterwards.
I couldn't find any discussion on this, but is this a known issue?