PMDF System Manager's Guide

An authentication mechanism specifies how authentication is performed; that is, how the authenticating password is passed back and forth. Supported authentication mechanisms include:

ANONYMOUS

This permits anonymous access.

APOP

This is a mechanism which can only be used with the POP3 protocol. If set for some other sort of service such as IMAP, it has no effect (is ignored). It supplies the user a challenge and performs a one-way function on the challenge and the user's password. This means that the password is never sent over the wire, but what is sent over the wire can be used to test guesses. It also requires that the password be stored in such a way that if someone gains privileged access to the server and is capable of reverse engineering PMDF's storage mechanism, then they can recover all user passwords.

CRAM-MD5

This is similar to APOP, but is suitable for use with other protocols besides POP3. This is marginally safer than APOP as it permits an authentication verifier storage format such that someone who gains privileged access to the server and is capable of reverse engineering PMDF's storage mechanism only gains the ability to use the CRAM-MD5 mechanism to impersonate any user.

DIGEST-MD5

The DIGEST-MD5 mechanism is based upon the HTTP-digest authentication defined in RFC 2617.

LOGIN

LOGIN is a non-standard mechanism, similar to PLAIN, and offering no additional functionality. But some clients, such as Microsoft Exchange, have nevertheless implemented it. Among the distributed PMDF authentication sources, only the LOGIN source supports the LOGIN mechanism.

PLAIN

This passes the user's plaintext password over the network, where it is susceptible to eavesdropping. Unfortunately, most clients require support for plaintext passwords. This is also the only current mechanism which can be used with system password files. When this mechanism is enabled for POP and IMAP connections, it also enables the plaintext login commands in POP and IMAP.