Authentication Mechanisms¶

Mechanisms¶

ANONYMOUS¶

CRAM-MD5¶

DIGEST-MD5¶

EXTERNAL¶

G2¶

GSSAPI¶

Not sure how to get GSSAPI going? Check out our GSSAPI configuration guide.

GSS-SPEGNO¶

KERBEROS_V4¶

NTLM¶

OTP¶

OTP-MD4

OTP-MD5

OTP-SHA1

PASSDSS¶

PASSDSS-3DES-1

PLAIN¶

SCRAM¶

SCRAM-SHA-1

SCRAM-SHA-256

SRP¶

mda=sha1,rmd160,md5

confidentiality=des-ofb,des-ede-ofb,aes-128-ofb,bf-ofb,cast5-ofb,idea-ofb

Non-SASL Authentication¶

Summary¶

This table shows what security flags and features are supported by each of the mechanisms provided by the Cyrus SASL Library.

MAX SSF

SECURITY PROPERTIES

FEATURES

ANONYMOUS

0

X

CRAM-MD5

0

X

DIGEST-MD5

128

X

reauth

initial auth

X

EXTERNAL

0

X

G2

56

X

GSSAPI

56

X

GSS-SPNEGO

56

X

KERBEROS_V4

56

X

LOGIN

0

X

NTLM

0

X

OTP

0

X

PASSDSS

112

X

PLAIN

0

X

SCRAM

0

X

?

SRP

128

X

Understanding this table:

Security Properties:

MAX SSF - The maximum Security Strength Factor supported by the mechanism (roughly the number of bits of encryption provided, but may have other meanings, for example an SSF of 1 indicates integrity protection only, no encryption).
NOPLAIN - Mechanism is not susceptable to simple passive (eavesdropping) attack.
NOACTIVE - Protection from active (non-dictionary) attacks during authentication exchange. (Implies MUTUAL).
NODICT - Not susceptable to passive dictionary attack.
NOFORWARD - Breaking one session won’t help break the next.
NOANON - Don’t permit anonymous logins.
CRED - Mechanism can pass client credentials.
MUTUAL - Supports mutual authentication (authenticates the server to the client)

Features:

CLTFIRST - The client should send first in this mechanism.
SRVFIRST - The server must send first in this mechanism.
SRVLAST - This mechanism supports server-send-last configurations.
PROXY - This mechanism supports proxy authentication.
BIND - This mechanism supports channel binding.
HTTP - This mechanism has a profile for HTTP.