Codex

Authen::SASL::Perl

Section: User Contributed Perl Documentation (3pm)

Updated: 2010-03-11

Index?action=index Return to Main Contents


NAME

Authen::SASL::Perl -- Perl implementation of the SASL Authentication framework

SYNOPSIS

DESCRIPTION

Authen::SASL::Perl is the pure Perl implementation of SASL mechanisms in the Authen::SASL framework.

At the time of this writing it provides the client part implementation for the following SASL mechanisms:

ANONYMOUS
The Anonymous SASL Mechanism as defined in RFC 2245 resp. in IETF Draft draft-ietf-sasl-anon-03.txt from February 2004 provides a method to anonymously access internet services.

Since it does no authentication it does not need to send any confidential information such as passwords in plain text over the network.

:

CRAM-MD5
The CRAM-MD5 SASL Mechanism as defined in RFC2195 resp. in IETF Draft draft-ietf-sasl-crammd5-XX.txt offers a simple challenge-response authentication mechanism.

Since it is a challenge-response authentication mechanism no passwords are transferred in clear-text over the wire.

Due to the simplicity of the protocol CRAM-MD5 is susceptible to replay and dictionary attacks, so DIGEST-MD5 should be used in preferrence.

:

DIGEST-MD5
The DIGEST-MD5 SASL Mechanism as defined in RFC 2831 resp. in IETF Draft draft-ietf-sasl-rfc2831bis-XX.txt offers the HTTP Digest Access Authentication as SASL mechanism.

Like CRAM-MD5 it is a challenge-response authentication method that does not send plain text passwords over the network.

Compared to CRAM-MD5, DIGEST-MD5 prevents chosen plaintext attacks, and permits the use of third party authentication servers, so that it is recommended to use DIGEST-MD5 instead of CRAM-MD5 when possible.

:

EXTERNAL
The EXTERNAL SASL mechanism as defined in RFC 2222 allows the use of external authentication systems as SASL mechanisms.:
GSSAPI
The GSSAPI SASL mechanism as defined in RFC 2222 resp. IETF Draft draft-ietf-sasl-gssapi-XX.txt allows using the Generic Security Service Application Program Interface [GSSAPI] KERBEROS V5 as as SASL mechanism.

Although GSSAPI is a general mechanism for authentication it is almost exlusively used for Kerberos 5.

:

LOGIN
The LOGIN SASL Mechanism as defined in IETF Draft draft-murchison-sasl-login-XX.txt allows the combination of username and clear-text password to be used in a SASL mechanism.

It does does not provide a security layer and sends the credentials in clear over the wire. Thus this mechanism should not be used without adequate security protection.

:

PLAIN
The Plain SASL Mechanism as defined in RFC 2595 resp. IETF Draft draft-ietf-sasl-plain-XX.txt is another SASL mechanism that allows username and clear-text password combinations in SASL environments.

Like LOGIN it sends the credentials in clear over the network and should not be used without sufficient security protection.

:

As for server support, only PLAIN, LOGIN and DIGEST-MD5 are supported at the time of this writing.

OPTIONS is a hashref that is only relevant for DIGEST-MD5 for now and it supports the following options:

:- no_integrity

:- no_confidentiality

which configures how the security layers are negotiated with the client (or rather imposed to the client).

SEE ALSO

Authen::SASL, Authen::SASL::Perl::ANONYMOUS, Authen::SASL::Perl::CRAM_MD5, Authen::SASL::Perl::DIGEST_MD5, Authen::SASL::Perl::EXTERNAL, Authen::SASL::Perl::GSSAPI, Authen::SASL::Perl::LOGIN, Authen::SASL::Perl::PLAIN

AUTHOR

Peter Marschall <[email protected]>

Please report any bugs, or post any suggestions, to the perl-ldap mailing list <[email protected]>

COPYRIGHT

Copyright (c) 2004-2006 Peter Marschall. All rights reserved. This document is distributed, and may be redistributed, under the same terms as Perl itself.


Index

NAME

SYNOPSIS

DESCRIPTION

SEE ALSO

AUTHOR

COPYRIGHT