Authentication Mechanisms

Mechanisms

ANONYMOUS

CRAM-MD5

DIGEST-MD5

EXTERNAL

G2

GSSAPI

Not sure how to get GSSAPI going? Check out our GSSAPI configuration guide.

GSS-SPEGNO

KERBEROS_V4

LOGIN

NTLM

OTP

PASSDSS

PLAIN

SCRAM

SRP

Non-SASL Authentication


Summary

This table shows what security flags and features are supported by each of the mechanisms provided by the Cyrus SASL Library.

  MAX SSF SECURITY PROPERTIES FEATURES
  NOPLAIN | NOACTIVE | NODICT | FORWARD | NOANON | CRED | MUTUAL CLT FIRST | SRV FIRST | SRV LAST | PROXY | BIND | HTTP
ANONYMOUS 0 X             X          
CRAM-MD5 0 X       X       X        
DIGEST-MD5 128 X       X   X reauth initial auth X X   X
EXTERNAL 0 X   X   X     X     X    
G2 56 X X     X   X X   X X X  
GSSAPI 56 X X     X X X X     X    
GSS-SPNEGO 56 X X     X X X X     X   X
KERBEROS_V4 56 X X     X   X   X   X    
LOGIN 0         X X     X        
NTLM 0 X       X     X         X
OTP 0 X     X X     X     X    
PASSDSS 112 X X X X X X X X     X    
PLAIN 0         X X   X     X    
SCRAM 0 X X     X   X X   X X X ?
SRP 128 X X X X X   X X   X X    

Understanding this table:

Security Properties:

  • MAX SSF - The maximum Security Strength Factor supported by the mechanism (roughly the number of bits of encryption provided, but may have other meanings, for example an SSF of 1 indicates integrity protection only, no encryption).
  • NOPLAIN - Mechanism is not susceptable to simple passive (eavesdropping) attack.
  • NOACTIVE - Protection from active (non-dictionary) attacks during authentication exchange. (Implies MUTUAL).
  • NODICT - Not susceptable to passive dictionary attack.
  • NOFORWARD - Breaking one session won’t help break the next.
  • NOANON - Don’t permit anonymous logins.
  • CRED - Mechanism can pass client credentials.
  • MUTUAL - Supports mutual authentication (authenticates the server to the client)

Features:

  • CLTFIRST - The client should send first in this mechanism.
  • SRVFIRST - The server must send first in this mechanism.
  • SRVLAST - This mechanism supports server-send-last configurations.
  • PROXY - This mechanism supports proxy authentication.
  • BIND - This mechanism supports channel binding.
  • HTTP - This mechanism has a profile for HTTP.