Proof for schannel Key expiry?

Andrew Tridgell tridge at
Mon May 16 21:03:51 GMT 2005


 > In the Samba4 schannel code, you have a fixed, 5-min expiry on the
 > schannel credentials.  Did you ever have any proof the windows has a
 > similar expiry?

no, I don't even remember doing that. 

I do think some sort of expiry does make cryptographic sense though,
as unlike other auth mechanisms, schannel credentials last beyond the
lifetime of an established connection. That makes them ripe for
offline brute force attack. Only krb5 has similar properties in Samba,
and that has an expiry mechanism.

Maybe we should make it a 2 day expiry until we write a (rather slow)
test which gives us some idea on the lifetime of these credentials in
the windows world.

Cheers, Tridge

More information about the samba-technical mailing list