I recently updated openssh from 7.9 to 8.4 and noticed that the time-based rekeying doesn't happen automatically on idle connections until a packet is sent from the client. I was able to narrow it down to this commit in 8.0: commit 21da87f439b48a85b951ef1518fe85ac0273e719 Author: djm@xxxxxxxxxxx<mailto:djm@xxxxxxxxxxx> <djm@xxxxxxxxxxx<mailto:djm@xxxxxxxxxxx>> Date: Wed Mar 27 09:29:14 2019 +0000 upstream: fix interaction between ClientAliveInterval and RekeyLimit that could cause connection to close incorrectly; Report and patch from Jakub Jelen in bz#2757; ok dtucker@ markus@ OpenBSD-Commit-ID: 17229a8a65bd8e6c2080318ec2b7a61e1aede3fb diff --git a/serverloop.c b/serverloop.c index f86f832b..d7b04b37 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.214 2019/03/06 21:06:59 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.215 2019/03/27 09:29:14 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@xxxxxxxxx<mailto:ylo@xxxxxxxxx>> * Copyright (c) 1995 Tatu Ylonen <ylo@xxxxxxxxx<mailto:ylo@xxxxxxxxx>>, Espoo, Finland @@ -248,9 +248,10 @@ wait_until_can_do_something(struct ssh *ssh, uint64_t keepalive_ms = (uint64_t)options.client_alive_interval * 1000; - client_alive_scheduled = 1; - if (max_time_ms == 0 || max_time_ms > keepalive_ms) + if (max_time_ms == 0 || max_time_ms > keepalive_ms) { max_time_ms = keepalive_ms; + client_alive_scheduled = 1; + } } My config includes the following: RekeyLimit default 10 ClientAliveInterval 15 >From my experiments, this prevents the client-keep-alive from triggering when it is time for the rekeying to happen. I was able to put the RekeyLimit to 35, and I observed the keep alive messages being sent to the client twice, but radio silence afterwards. I couldn't find any discussion on this, but is this a known issue? _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev