SSH Re-Keying for SSH Server and SSH Client

To comply with RFC 4251, session rekeying ensures that either the SSH server or the SSH client initiates a rekey. This results in a new set of encryption and integrity keys to be exchanged between them. Once the rekey is complete, new keys are used for further communication, which ensures that the same key is not used for a long duration and the security of the session is maintained.

Syntax

ip ssh rekey {time <MINUTES> | volume <SIZE>}

no ip ssh rekey

Description

Enable SSH key re-exchange.

The no form of the command disables SSH rekeying. If time or volume is specified, the no form reverts to the default value.

Command context

config

Parameters

time <MINUTES>

Specifies the number of minutes for rekey initiation. Range: 10 to 60 minutes. Default: 60 minutes.

volume <SIZE>

Specifies the volume size in KB for rekey initiation. Range: 100 KB to 1048576 KB. Default: 1048576 KB.

Examples

Initiate rekeying every 45 minutes:

switch(config)# ip ssh rekey time 45

Reset the configured time to the default value (60 minutes):

switch(config)# no ip ssh rekey time

Initiate rekeying after every 2000 KB of data is transferred:

switch(config)# ip ssh rekey volume 2000

Reset the configured volume to the default value (1048576 KB):

switch(config)# no ip ssh rekey volume