I am setting up a new Linux-Server and I am editing sshd_config. I will use protocol version 2 (which is default anyway):
Protocol 2
But in the default config-file I also find this two lines:
KeyRegenerationInterval 3600
ServerKeyBits 768
Manpage sshd_config(5) says about KeyRegenerationInterval:
In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). The purpose of regeneration is to prevent decrypting captured sessions by later breaking into the machine and stealing the keys. The key is never stored anywhere. If the value is 0, the key is never regenerated. The default is 3600 (seconds).
So I know what this parameter does in SSH1. But I don't use SSH1. I use the default version SSH2, but the manpage gives no information about the effect of KeyRegenerationInterval in protocol version 2. Has KeyRegenerationInterval any effect in protocol version 2? And what about ServerKeyBits?
What will happen if I leave this settings in the config file when I set Protocol 2? What will happen when I delete those two lines?
I guess that those two parameters are ignored if protocol version is set to 2. But this is just guessed. From what I read until now I can't know for sure. Do you KNOW (not guess) what effect KeyRegenerationInterval and ServerKeyBits have in SSH2?
TL;DR: No, these options have no effect in SSH-2 (and SSH-1 support is removed since 2016).
When unsure, source code is the best documentation.
If we search for ServerKeyBits and KeyRegenerationInterval in the entire OpenSSH source code, we find only this in servconf.c:
{ "serverkeybits", sDeprecated, SSHCFG_GLOBAL },
. . .
{ "keyregenerationinterval", sDeprecated, SSHCFG_GLOBAL },
. . .
case sDeprecated:
case sIgnore:
case sUnsupported:
do_log2(opcode == sIgnore ?
SYSLOG_LEVEL_DEBUG2 : SYSLOG_LEVEL_INFO,
"%s line %d: %s option %s", filename, linenum,
opcode == sUnsupported ? "Unsupported" : "Deprecated", arg);
while (arg)
arg = strdelim(&cp);
break;
In other words, both options simply print a deprecation warning and have further no effect.
Then using the blame feature we find that the options were removed in the commit c38ea6348 of Aug 23, 2016 (OpenSSH 7.4p1):
Remove more SSH1 server code: * Drop sshd's -k option. *
Retire configuration keywords that only apply to protocol 1, as well as the
"protocol" keyword. * Remove some related vestiges of protocol 1 support.
Before that they were used only for SSH-1. E.g. KeyRegenerationInterval:
{ "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
. . .
case sKeyRegenerationTime:
intptr = &options->key_regeneration_time;
goto parse_time;
Used in sshd.c/L1442:
if ((options.protocol & SSH_PROTO_1) &&
key_used == 0) {
/* Schedule server key regeneration alarm. */
signal(SIGALRM, key_regeneration_alarm);
alarm(options.key_regeneration_time);
key_used = 1;
}
Note: for SSH-2 there's a more powerful RekeyLimit.