SASL Mechanism Properties/Features

This table shows what security flags and features are supported by each of the mechanisms provided by the Cyrus SASL Library.

MAX
SSF SECURITY PROPERTIES FEATURES

NOPLAIN NOACTIVE NODICT FORWARD NOANON CRED MUTUAL CLT FIRST SRV FIRST SRV LAST PROXY

ANONYMOUS 0 X

X

CRAM-MD5 0 X

X

X

DIGEST-MD5 128 X

X
X reauth initial auth X X

EXTERNAL 0 X
X
X

X

X

GSSAPI 56 X X

X
X X

X

KERBEROS_V4 56 X X

X
X
X
X

LOGIN 0

X

X

NTLM 0 X

X

X

OTP 0 X

X X

X

X

PLAIN 0

X

X

X

SRP 128 X X X X X
X X
X X

	MAX SSF	SECURITY PROPERTIES	FEATURES
NOPLAIN	NOACTIVE	NODICT	FORWARD	NOANON	CRED	MUTUAL	CLT FIRST	SRV FIRST	SRV LAST	PROXY
ANONYMOUS	0	X							X
CRAM-MD5	0	X				X				X
DIGEST-MD5	128	X				X		X	reauth	initial auth	X	X
EXTERNAL	0	X		X		X			X			X
GSSAPI	56	X	X			X		X	X			X
KERBEROS_V4	56	X	X			X		X		X		X
LOGIN	0					X				X
NTLM	0	X				X			X
OTP	0	X			X	X			X			X
PLAIN	0					X			X			X
SRP	128	X	X	X	X	X		X	X		X	X

Understanding this table:

MAX SSF - The maximum Security Strength Factor supported by the mechanism (roughly the number of bits of encryption provided, but may have other meanings, for example an SSF of 1 indicates integrity protection only, no encryption).
NOPLAIN - Mechanism is not susceptable to simple passive (eavesdropping) attack.
NOACTIVE - Protection from active (non-dictionary) attacks during authentication exchange. (Implies MUTUAL).
NODICT - Not susceptable to passive dictionary attack.
NOFORWARD - Breaking one session won't help break the next.
NOANON - Don't permit anonymous logins.
CRED - Mechanism can pass client credentials.
MUTUAL - Supports mutual authentication (authenticates the server to the client)
CLTFIRST - The client should send first in this mechanism.
SRVFIRST - The server must send first in this mechanism.
SRVLAST - This mechanism supports server-send-last configurations.
PROXY - This mechanism supports proxy authentication.