Authentication Mechanisms

Mechanisms

ANONYMOUS

CRAM-MD5

DIGEST-MD5

EXTERNAL

G2

GSSAPI

Not sure how to get GSSAPI going? Check out our GSSAPI configuration guide.

GSS-SPEGNO

KERBEROS_V4

LOGIN

NTLM

OTP

  • OTP-MD4
  • OTP-MD5
  • OTP-SHA1

PASSDSS

  • PASSDSS-3DES-1

PLAIN

SCRAM

  • SCRAM-SHA-1(-PLUS)
  • SCRAM-SHA-224(-PLUS)
  • SCRAM-SHA-256(-PLUS)
  • SCRAM-SHA-384(-PLUS)
  • SCRAM-SHA-512(-PLUS)

SRP

  • mda=sha1,rmd160,md5
  • confidentiality=des-ofb,des-ede-ofb,aes-128-ofb,bf-ofb,cast5-ofb,idea-ofb

Non-SASL Authentication


Summary

This table shows what security flags and features are supported by each of the mechanisms provided by the Cyrus SASL Library.

  MAX SSF SECURITY PROPERTIES FEATURES
  NOPLAIN NOACTIVE NODICT FORWARD NOANON CRED MUTUAL CLT FIRST SRV FIRST SRV LAST PROXY BIND HTTP
ANONYMOUS 0 X             X          
CRAM-MD5 0 X       X       X        
DIGEST-MD5 128 X       X   X reauth initial auth X X   X
EXTERNAL 0 X   X   X     X     X    
G2 56 X X     X   X X   X X X  
GSSAPI 56 X X     X X X X     X    
GSS-SPNEGO 56 X X     X X X X     X   X
KERBEROS_V4 56 X X     X   X   X   X    
LOGIN 0         X X     X        
NTLM 0 X       X     X         X
OTP 0 X     X X     X     X    
PASSDSS 112 X X X X X X X X     X    
PLAIN 0         X X   X     X    
SCRAM 0 X X     X   X X   X X X ?
SRP 128 X X X X X   X X   X X    

Understanding this table:

Security Properties:

  • MAX SSF - The maximum Security Strength Factor supported by the mechanism (roughly the number of bits of encryption provided, but may have other meanings, for example an SSF of 1 indicates integrity protection only, no encryption).
  • NOPLAIN - Mechanism is not susceptable to simple passive (eavesdropping) attack.
  • NOACTIVE - Protection from active (non-dictionary) attacks during authentication exchange. (Implies MUTUAL).
  • NODICT - Not susceptable to passive dictionary attack.
  • NOFORWARD - Breaking one session won’t help break the next.
  • NOANON - Don’t permit anonymous logins.
  • CRED - Mechanism can pass client credentials.
  • MUTUAL - Supports mutual authentication (authenticates the server to the client)

Features:

  • CLTFIRST - The client should send first in this mechanism.
  • SRVFIRST - The server must send first in this mechanism.
  • SRVLAST - This mechanism supports server-send-last configurations.
  • PROXY - This mechanism supports proxy authentication.
  • BIND - This mechanism supports channel binding.
  • HTTP - This mechanism has a profile for HTTP.