Hi, the OpenSSH documentation regarding "RekeyLimit" specifies: | RekeyLimit | Specifies the maximum amount of data that may be transmitted before | the session key is renegotiated, optionally followed a maximum | amount of time that may pass before the session key is | renegotiated. The first argument is specified in bytes and may have | a suffix of ‘K’, ‘M’, or ‘G’ to indicate Kilobytes, Megabytes, or | Gigabytes, respectively. The default is between ‘1G’ and ‘4G’, | depending on the cipher. Checking packet.c we see the following code: | /* | * The 2^(blocksize*2) limit is too expensive for 3DES, | * blowfish, etc, so enforce a 1GB limit for small blocksizes. | */ | if (enc->block_size >= 16) | *max_blocks = (u_int64_t)1 << (enc->block_size*2); | else | *max_blocks = ((u_int64_t)1 << 30) / enc->block_size; This makes the default RekeyLimit 2G bytes for "small" ciphers like 3des-cbc (which has an enc->block_size of 8). On other ciphers like aes128-cbc which have a enc->blocksize of 16, this makes max_blocks = 1 << 32, which is 4G blocks, or, to be more precise 64G bytes. Either this is an coding oversight (missing an "/ enc->block_size") or the documentation is incorrect regarding the 4G limit. CU, Sec -- I think the IDE issue is a good point. People with IDE hardware in their machines should be punished by making them wait to boot... -- terry@xxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev