5 Mechanisms

Different SASL mechanisms have different requirements on the application using it. To handle these differences the library can use a callback function into your application in several different ways. Some mechanisms, such as ‘PLAIN’, are simple to explain and use. The client callback queries the user for a username and password. The server callback hands the username and password into any local policy deciding authentication system (such as /etc/passwd via PAM).

Mechanism such as ‘CRAM-MD5’ and ‘SCRAM-SHA-1’ uses hashed passwords. The client callback behaviour is the same as for PLAIN. However, the server does not receive the plain text password over the network but rather a hash of it. Existing policy deciding systems like PAM cannot handle this, so the server callback for these mechanisms are more complicated.

Further, mechanisms like GSSAPI/GS2-KRB5 (Kerberos 5) assume a specific authentication system. In theory this means that the SASL library would not need to interact with the application, but rather call this specific authentication system directly. However, some callbacks are supported anyway, to modify the behaviour of how the specific authentication system is used (i.e., to handle “super-user” login as some other user).

Some mechanisms, like ‘EXTERNAL’ and ‘ANONYMOUS’ are entirely dependent on callbacks.