Authentication Mechanisms

Mechanisms

ANONYMOUS

This mechanism does not require the client to authenticate or provide any information.

Defined in RFC 2245

EXTERNAL

EXTERNAL is a SASL Mechanism that allows a client to request the server to use credentials established by means external to the mechanism to authenticate the client.

SASL EXTERNAL means may be, for instance, IP Security (RFC 4301) or TLS services. In absence of a prior agreement between the client and the server, the client cannot make any assumption as to what SASL EXTERNAL means the server has used to obtain the client’s credentials, nor make an assumption as to the form of credentials. For example, the client cannot assume that the server will use the credentials the client has established via TLS.

Note

The server will not offer EXTERNAL unless other credentials are already available in the session, such as a client certificate used in establishing a TLS connection.

GS2

Generic Security Service Application Program Interface (GSS-API). The GS2 mechanism family offers a number of improvements over the previous Configuring GSSAPI and Cyrus SASL mechanism.

Defined in RFC 5801

GSSAPI

Not sure how to get GSSAPI going? Check out our GSSAPI configuration guide.

GSS-SPNEGO

This is a Microsoft specific customization of GSSAPI.

Described in the Microsoft documentation and RFC 4178

OTP

OTP is the One-Time Password system described in RFC 2289. This mechanism is secure against replay attacks and also avoids storing password or password equivalents on the server. Only a digest of a seed and a passphrase is ever transmitted across the network.

  • OTP-MD4

  • OTP-MD5

  • OTP-SHA1

PASSDSS

DSS Secured Password Authentication Mechanism (PASSDSS)

Documented in a RFC Draft: draft-newman-sasl-passdss

  • PASSDSS-3DES-1

PLAIN

Defined in RFC 4616

This is the simplest mechanism. The users authentication details are transmitted in plain text. This mechanism should not be provided unless an encrypted link is in use - typically after TLS has been negotiated.

SCRAM

Salted Challenge Response Authentication Mechanism (SCRAM) is a family of modern, password-based challenge–response authentication mechanisms providing authentication of a user to a server.

Defined in RFC 5802

  • SCRAM-SHA-1(-PLUS)

  • SCRAM-SHA-224(-PLUS)

  • SCRAM-SHA-256(-PLUS) (RFC 7677)

  • SCRAM-SHA-384(-PLUS)

  • SCRAM-SHA-512(-PLUS)

SRP

The Secure Remote Password (SRP) is a password-based, zero-knowledge, authentication and key-exchange protocol. It has good performance, is not plaintext-equivalent and maintains perfect forward secrecy. It provides authentication (optionally mutual authentication) and the negotiation of a shared context key.

Documented in a RFC Draft: draft-burdis-cat-srp-sasl

  • mda=sha1,rmd160,md5

  • confidentiality=des-ofb,des-ede-ofb,aes-128-ofb,bf-ofb,cast5-ofb,idea-ofb

Non-SASL Authentication


Summary

This table shows what security flags and features are supported by each of the mechanisms provided by the Cyrus SASL Library.

MAX SSF

SECURITY PROPERTIES

FEATURES

NOPLAIN

NOACTIVE

NODICT

FORWARD

NOANON

CRED

MUTUAL

CLT FIRST

SRV FIRST

SRV LAST

PROXY

BIND

HTTP

ANONYMOUS

0

X

X

EXTERNAL

0

X

X

X

X

X

GS2

56

X

X

X

X

X

X

X

X

GSSAPI

56

X

X

X

X

X

X

X

X

GSS-SPNEGO

56

X

X

X

X

X

X

X

X

OTP

0

X

X

X

X

X

PASSDSS

112

X

X

X

X

X

X

X

X

X

PLAIN

0

X

X

X

X

SCRAM

0

X

X

X

X

X

X

X

X

X

SRP

128

X

X

X

X

X

X

X

X

X

Understanding this table:

Security Properties:

  • MAX SSF - The maximum Security Strength Factor supported by the mechanism (roughly the number of bits of encryption provided, but may have other meanings, for example an SSF of 1 indicates integrity protection only, no encryption).

  • NOPLAIN - Mechanism is not susceptible to simple passive (eavesdropping) attack.

  • NOACTIVE - Protection from active (non-dictionary) attacks during authentication exchange. (Implies MUTUAL).

  • NODICT - Not susceptible to passive dictionary attack.

  • NOFORWARD - Breaking one session won’t help break the next.

  • NOANON - Don’t permit anonymous logins.

  • CRED - Mechanism can pass client credentials.

  • MUTUAL - Supports mutual authentication (authenticates the server to the client)

Features:

  • CLTFIRST - The client should send first in this mechanism.

  • SRVFIRST - The server must send first in this mechanism.

  • SRVLAST - This mechanism supports server-send-last configurations.

  • PROXY - This mechanism supports proxy authentication.

  • BIND - This mechanism supports channel binding.

  • HTTP - This mechanism has a profile for HTTP.