openssh unix dev - Jun 2005 - rekeying in SSH-2 and session setup?

Dear all,
while playing around with openssh-4.1p1 (trying to add AFS token
forwarding in SSH-2), I noticed that agressive rekeying (as e.g.
employed by regress/rekey.sh, rekeying every 16bytes) seems to disturb
the various forwardings (X11, agent) set up at the beginning of the
session. These do not trigger regression test errors, since the client
does not ask for confirmation from the server for these commands (except
for remote port forwarding, and that one isn't set up by default).

Setting the minimum rekey limit to a higher value that covers all of the
session setup would be easy, but at least the port forwarding can get
added also later during the session. I guess that a rekey event at this
stage would kill the connection (explicit 'packet_disconnect()' if we
receive neither SUCCESS nor FAILURE from the server).

Could somebody perhaps check whether I am completely off-track with
this? I'd also be grateful on advice how to handle or prevent rekeying
events during session setup, e.g. in ssh_session2_setup().

Thanks
Jan

Jan Iven wrote:
> Dear all,
> while playing around with openssh-4.1p1 (trying to add AFS token
> forwarding in SSH-2), I noticed that agressive rekeying (as e.g.
> employed by regress/rekey.sh, rekeying every 16bytes) seems to disturb
> the various forwardings (X11, agent) set up at the beginning of the
> session. These do not trigger regression test errors, since the client
> does not ask for confirmation from the server for these commands (except
> for remote port forwarding, and that one isn't set up by default).
Yes, we should probably set want_reply for forwarding setups and (at
least) warn when they are refused.

This would be a fairly easy project for someone who wants to start
hacking OpenSSH (hint, hint).

That rekeying causes problems is more concerning (I'll look at this),
but 16 bytes is an absurdly low limit - it isn't even enough to fit a
protocol v.2 packet.

-d