Authentication Mechanisms¶
Mechanisms¶
ANONYMOUS¶
CRAM-MD5¶
DIGEST-MD5¶
EXTERNAL¶
GS2¶
GSSAPI¶
Not sure how to get GSSAPI going? Check out our GSSAPI configuration guide.
GSS-SPEGNO¶
KERBEROS_V4¶
LOGIN¶
NTLM¶
OTP¶
OTP-MD4
OTP-MD5
OTP-SHA1
PASSDSS¶
PASSDSS-3DES-1
PLAIN¶
SCRAM¶
SCRAM-SHA-1(-PLUS)
SCRAM-SHA-224(-PLUS)
SCRAM-SHA-256(-PLUS)
SCRAM-SHA-384(-PLUS)
SCRAM-SHA-512(-PLUS)
SRP¶
mda=sha1,rmd160,md5
confidentiality=des-ofb,des-ede-ofb,aes-128-ofb,bf-ofb,cast5-ofb,idea-ofb
Non-SASL Authentication¶
Summary¶
This table shows what security flags and features are supported by each of the mechanisms provided by the Cyrus SASL Library.
| MAX SSF | SECURITY PROPERTIES | FEATURES | ||||||||||||
| NOPLAIN | NOACTIVE | NODICT | FORWARD | NOANON | CRED | MUTUAL | CLT FIRST | SRV FIRST | SRV LAST | PROXY | BIND | HTTP | ||
| ANONYMOUS | 0 | X | X | |||||||||||
| CRAM-MD5 | 0 | X | X | X | ||||||||||
| DIGEST-MD5 | 128 | X | X | X | reauth | initial auth | X | X | X | |||||
| EXTERNAL | 0 | X | X | X | X | X | ||||||||
| GS2 | 56 | X | X | X | X | X | X | X | X | |||||
| GSSAPI | 56 | X | X | X | X | X | X | X | X | |||||
| GSS-SPNEGO | 56 | X | X | X | X | X | X | X | X | |||||
| KERBEROS_V4 | 56 | X | X | X | X | X | X | |||||||
| LOGIN | 0 | X | X | X | ||||||||||
| NTLM | 0 | X | X | X | X | |||||||||
| OTP | 0 | X | X | X | X | X | ||||||||
| PASSDSS | 112 | X | X | X | X | X | X | X | X | X | ||||
| PLAIN | 0 | X | X | X | X | |||||||||
| SCRAM | 0 | X | X | X | X | X | X | X | X | X | ||||
| SRP | 128 | X | X | X | X | X | X | X | X | X | ||||
Understanding this table:
Security Properties:
- MAX SSF - The maximum Security Strength Factor supported by the mechanism (roughly the number of bits of encryption provided, but may have other meanings, for example an SSF of 1 indicates integrity protection only, no encryption). 
- NOPLAIN - Mechanism is not susceptable to simple passive (eavesdropping) attack. 
- NOACTIVE - Protection from active (non-dictionary) attacks during authentication exchange. (Implies MUTUAL). 
- NODICT - Not susceptable to passive dictionary attack. 
- NOFORWARD - Breaking one session won’t help break the next. 
- NOANON - Don’t permit anonymous logins. 
- CRED - Mechanism can pass client credentials. 
- MUTUAL - Supports mutual authentication (authenticates the server to the client) 
Features:
- CLTFIRST - The client should send first in this mechanism. 
- SRVFIRST - The server must send first in this mechanism. 
- SRVLAST - This mechanism supports server-send-last configurations. 
- PROXY - This mechanism supports proxy authentication. 
- BIND - This mechanism supports channel binding. 
- HTTP - This mechanism has a profile for HTTP.