Proof for schannel Key expiry?
Andrew Tridgell
tridge at osdl.org
Mon May 16 21:03:51 GMT 2005
Andrew,
> In the Samba4 schannel code, you have a fixed, 5-min expiry on the
> schannel credentials. Did you ever have any proof the windows has a
> similar expiry?
no, I don't even remember doing that.
I do think some sort of expiry does make cryptographic sense though,
as unlike other auth mechanisms, schannel credentials last beyond the
lifetime of an established connection. That makes them ripe for
offline brute force attack. Only krb5 has similar properties in Samba,
and that has an expiry mechanism.
Maybe we should make it a 2 day expiry until we write a (rather slow)
test which gives us some idea on the lifetime of these credentials in
the windows world.
Cheers, Tridge
More information about the samba-technical
mailing list