1.. _authentication_mechanisms: 2 3========================= 4Authentication Mechanisms 5========================= 6 7Mechanisms 8========== 9 10ANONYMOUS 11--------- 12 13.. todo:: 14 Content needed here 15 16CRAM-MD5 17-------- 18 19.. todo:: 20 Content needed here 21 22 23DIGEST-MD5 24---------- 25 26.. todo:: 27 Content needed here 28 29EXTERNAL 30-------- 31 32.. todo:: 33 Content needed here 34 35 36GS2 37----- 38 39.. todo:: 40 Content needed here 41 42 43GSSAPI 44------ 45 46Not sure how to get GSSAPI going? Check out our :ref:`GSSAPI configuration guide <gssapi>`. 47 48.. todo:: 49 Content needed here 50 51 52GSS-SPEGNO 53---------- 54 55.. todo:: 56 Content needed here 57 58KERBEROS_V4 59----------- 60 61.. todo:: 62 Content needed here 63 64LOGIN 65----- 66 67.. todo:: 68 Content needed here 69 70NTLM 71---- 72 73.. todo:: 74 Content needed here 75 76OTP 77--- 78 79 * OTP-MD4 80 * OTP-MD5 81 * OTP-SHA1 82 83.. todo:: 84 Content needed here 85 86PASSDSS 87------- 88 89 * PASSDSS-3DES-1 90 91.. todo:: 92 Content needed here 93 94PLAIN 95----- 96 97.. todo:: 98 Content needed here 99 100SCRAM 101----- 102 103 * SCRAM-SHA-1(-PLUS) 104 * SCRAM-SHA-224(-PLUS) 105 * SCRAM-SHA-256(-PLUS) 106 * SCRAM-SHA-384(-PLUS) 107 * SCRAM-SHA-512(-PLUS) 108 109.. todo:: 110 Content needed here 111 112SRP 113--- 114 115 * mda=sha1,rmd160,md5 116 * confidentiality=des-ofb,des-ede-ofb,aes-128-ofb,bf-ofb,cast5-ofb,idea-ofb 117 118.. todo:: 119 Content needed here 120 121Non-SASL Authentication 122----------------------- 123 124.. todo:: 125 Content needed here 126 127---- 128 129Summary 130======= 131 132This table shows what security flags and features are supported by each 133of the mechanisms provided by the Cyrus SASL Library. 134 135+-------------+---------+----------------------------------------------------------------+-----------------------------------------------------------+ 136| | MAX SSF | SECURITY PROPERTIES | FEATURES | 137+-------------+ +---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 138| | | NOPLAIN | NOACTIVE | NODICT | FORWARD | NOANON | CRED | MUTUAL | CLT FIRST | SRV FIRST | SRV LAST | PROXY | BIND | HTTP | 139+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 140| ANONYMOUS | 0 | X | | | | | | | X | | | | | | 141+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 142| CRAM-MD5 | 0 | X | | | | X | | | | X | | | | | 143+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 144| DIGEST-MD5 | 128 | X | | | | X | | X | reauth | initial auth | X | X | | X | 145+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 146| EXTERNAL | 0 | X | | X | | X | | | X | | | X | | | 147+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 148| GS2 | 56 | X | X | | | X | | X | X | | X | X | X | | 149+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 150| GSSAPI | 56 | X | X | | | X | X | X | X | | | X | X | | 151+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 152| GSS-SPNEGO | 56 | X | X | | | X | X | X | X | | | X | | X | 153+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 154| KERBEROS_V4 | 56 | X | X | | | X | | X | | X | | X | | | 155+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 156| LOGIN | 0 | | | | | X | X | | | X | | | | | 157+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 158| NTLM | 0 | X | | | | X | | | X | | | | | X | 159+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 160| OTP | 0 | X | | | X | X | | | X | | | X | | | 161+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 162| PASSDSS | 112 | X | X | X | X | X | X | X | X | | | X | | | 163+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 164| PLAIN | 0 | | | | | X | X | | X | | | X | | | 165+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 166| SCRAM | 0 | X | X | | | X | | X | X | | X | X | X | X | 167+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 168| SRP | 128 | X | X | X | X | X | | X | X | | X | X | | | 169+-------------+---------+---------+----------+--------+---------+--------+------+--------+-----------+--------------+----------+-------+------+------+ 170 171.. Helpfully generated from http://www.tablesgenerator.com/text_tables# 172 173Understanding this table: 174 175Security Properties: 176 177* **MAX SSF** - The maximum Security Strength Factor supported by the mechanism (roughly the number of bits of encryption provided, but may have other meanings, for example an SSF of 1 indicates integrity protection only, no encryption). 178* **NOPLAIN** - Mechanism is not susceptable to simple passive (eavesdropping) attack. 179* **NOACTIVE** - Protection from active (non-dictionary) attacks during authentication exchange. (Implies MUTUAL). 180* **NODICT** - Not susceptable to passive dictionary attack. 181* **NOFORWARD** - Breaking one session won't help break the next. 182* **NOANON** - Don't permit anonymous logins. 183* **CRED** - Mechanism can pass client credentials. 184* **MUTUAL** - Supports mutual authentication (authenticates the server to the client) 185 186Features: 187 188* **CLTFIRST** - The client should send first in this mechanism. 189* **SRVFIRST** - The server must send first in this mechanism. 190* **SRVLAST** - This mechanism supports server-send-last configurations. 191* **PROXY** - This mechanism supports proxy authentication. 192* **BIND** - This mechanism supports channel binding. 193* **HTTP** - This mechanism has a profile for HTTP. 194 195.. toctree:: 196 :hidden: 197 198 gssapi 199