openssh bugs - Jan 2022 - [Bug 3381] New: RekeyLimit mechanism does not work if it is defined at the end of the file

https://bugzilla.mindrot.org/show_bug.cgi?id=3381

            Bug ID: 3381
           Summary: RekeyLimit mechanism does not work if it is defined at
                    the end of the file
           Product: Portable OpenSSH
           Version: 8.8p1
          Hardware: ix86
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: yaniv.german at gmail.com

Use this sshd_config file
https://exampleconfig.com/view/openssh-centos7-etc-ssh-sshd_config

Make sure RekeyLimit is comment-out with '#'. 
Add new RekeyLimit at the end of the file with time/quota limits.
Save the file and restart the service.
Test for rekey - see rekey does not occur. 

Re-edit the sshd_conf. Remove the new RekeyLimit from the end of the
file and place it near the original RekeyLimit line. 
Save the file and restart the service. 
Test for rekey - see rekey occurs as expected.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3381

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Please attach debug output from a sshd server for both configurations.
You can use something like "/usr/bin/sshd -ddd" to obtain this

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3381

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
To can also use config-test mode ("/path/to/sshd -T") to dump the
effective configuration to stdout.

$ cat /tmp/sshd_config 
RekeyLimit 3G 1h

$ sudo /usr/sbin/sshd -f /tmp/sshd_config -T | grep rekeylimit
rekeylimit 3221225472 3600

$ wget -O sshd_config.example
http://exampleconfig.com/static/raw/openssh/centos7/etc/ssh/sshd_config
$ echo "RekeyLimit 3G 1h" >>/tmp/sshd_config.example
$ sudo /usr/sbin/sshd -f /tmp/sshd_config.example -T | grep rekeylimit
rekeylimit 3221225472 3600

Can you provide the problematic config?  Does it have an uncommented
Match statement in there somewhere?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3381

--- Comment #3 from yanger <yaniv.german at gmail.com> ---
I have only commented lines in my configuration except the last one.
Adding an example. 
The numbers are just an example. 
on DEBUG3 I can see messages that tries to set the Rekey to the values
at the end of the file  - but when I am looking for the actual Rekey
messages   I don't see them


-----------

# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit 1G 1w

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and
.ssh/authorized_keys2
# but this is overridden so installations will only check
.ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in
/etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and
may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server


RekeyLimit 500M 90s

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3381

--- Comment #4 from Darren Tucker <dtucker at dtucker.net> ---
I can't reproduce with the example config supplied and stock 8.8.

$ wc -l /tmp/sshd_config; tail -1 /tmp/sshd_config 
142 /tmp/sshd_config
RekeyLimit 1M 90s

with an idle client:

$ sudo `pwd`/sshd -f /tmp/sshd_config -ddde -p2022 2>&1 | while read a;
do echo $(date '+%H:%M:%S') $a; done | egrep -i 'newkeys|rekey'
22:25:06 debug3: /tmp/sshd_config:142 setting RekeyLimit 1M 90s
22:25:14 debug3: rexec:142 setting RekeyLimit 1M 90s
22:25:14 debug3: rekey after 1048576 bytes, 90 seconds [preauth]
22:25:14 debug2: set_newkeys: mode 1 [preauth]
22:25:14 debug1: rekey out after 131072 blocks [preauth]
22:25:14 debug1: SSH2_MSG_NEWKEYS sent [preauth]
22:25:14 debug1: expecting SSH2_MSG_NEWKEYS [preauth]
22:25:14 debug1: SSH2_MSG_NEWKEYS received [preauth]
22:25:14 debug2: set_newkeys: mode 0 [preauth]
22:25:14 debug1: rekey in after 131072 blocks [preauth]
22:25:14 debug2: set_newkeys: mode 0
22:25:14 debug1: rekey in after 131072 blocks
22:25:14 debug2: set_newkeys: mode 1
22:25:14 debug1: rekey out after 131072 blocks
[... ~90s later it triggers a rekey ...]
22:26:43 debug3: ssh_packet_check_rekey: rekex triggered
22:26:43 debug2: set_newkeys: mode 1
22:26:43 debug1: ssh_set_newkeys: rekeying out, input 4532 bytes 237
blocks, output 4472 bytes 319 blocks
22:26:43 debug1: rekey out after 131072 blocks
22:26:43 debug1: SSH2_MSG_NEWKEYS sent
22:26:43 debug1: expecting SSH2_MSG_NEWKEYS
22:26:43 debug1: SSH2_MSG_NEWKEYS received
22:26:43 debug2: set_newkeys: mode 0
22:26:43 debug1: ssh_set_newkeys: rekeying in, input 4544 bytes 238
blocks, output 4472 bytes 0 blocks
22:26:43 debug1: rekey in after 131072 blocks

and with a client that dd's 1MB of stuff, we can also see it rekey
~immediately:

$ sudo `pwd`/sshd -f /tmp/sshd_config -ddde -p2022 2>&1 | while read a;
do echo $(date '+%H:%M:%S') $a; done | egrep -i 'newkeys'
22:40:40 debug2: set_newkeys: mode 1 [preauth]
22:40:40 debug1: SSH2_MSG_NEWKEYS sent [preauth]
22:40:40 debug1: expecting SSH2_MSG_NEWKEYS [preauth]
22:40:40 debug1: SSH2_MSG_NEWKEYS received [preauth]
22:40:40 debug2: set_newkeys: mode 0 [preauth]
22:40:40 debug2: set_newkeys: mode 0
22:40:40 debug2: set_newkeys: mode 1
22:40:40 debug2: set_newkeys: mode 1
22:40:40 debug1: ssh_set_newkeys: rekeying out, input 4392 bytes 216
blocks, output 922664 bytes 115070 blocks
22:40:40 debug1: SSH2_MSG_NEWKEYS sent
22:40:40 debug1: expecting SSH2_MSG_NEWKEYS
22:40:40 debug1: SSH2_MSG_NEWKEYS received
22:40:40 debug2: set_newkeys: mode 0
22:40:40 debug1: ssh_set_newkeys: rekeying in, input 4404 bytes 217
blocks, output 939068 bytes 2050 blocks

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3381

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
closing for lack of followup

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.