What is the difference between SASL and SSL?

How does the SASL work?

The SASL mechanism works similarly to a regular user password authentication, and.

is used by both the SMTP client and server (via the EHLO command). The syntax of the SASL authentication strings is: username@hostname. Where the username and hostname strings are the values retrieved from. The first attempt at the authentication will be sent by the client as the. Username@hostname authentication string. If the host supports SASL, the response sent by the server will include the. Server name and the username portion of the SASL mechanism used. The client must then compare this information with the hostname and username it has been. Supplied. If a valid comparison is made, the authentication is successful and the server can reply to the client with the list of accepted extensions. How is the authentication protocol implemented? The client and server must agree on the "supported authentication methods". (supported methods for authenticating the user) prior to the beginning of the. Connection. This is done via the EHLO command.

To find out what supported methods the server supports, the client uses the. Supported methods list received from the server in the authentication string. To find out what methods are supported by the client, it must first authenticate. Itself with the server, via a connection to a known domain (see the example. Below). If the client can successfully connect to the server (using any authentication mechanism), then it will be able to determine the supported. Methods via the server's supported methods list. The client may change its own supported methods list during the SMTP. Connection. To do so, the client must first abort the connection and reconnect with a new EHLO command. This causes the server to use the new list of supported methods, and thus changes the methods supported list. When does the SMTP service use the SASL mechanism? The SMTP service uses the SASL mechanism when both the client and the server. Support the mechanism, and support it in different ways. This is controlled by If the EHLO command returns "AUTH PLAIN" or "AUTH LOGIN", the client sends. Its SASL authentication string.

What is the difference between Kerberos and SASL?

To the reader who is not as familiar with Kerberos as in the author, there are three basic questions about Kerberos vs.

SASL: what is Kerberos, what is SASL, and why do they use a different protocol? What is Kerberos? Kerberos is a mechanism for user authentication and mutual authentication based on passwords. It does not rely on the user's knowledge of secret information used by the system, such as private keys or encryption keys. This information can be made public (eg printed on cards) and used to derive secret information like passwords, but the secret information never needs to be stored by the system. As such, it has several benefits over traditional passwords, including better security and greater usability.

As an example, you may have a username and password for a website that is known to you, but it requires you to manually enter the login credentials every time you visit the website. With Kerberos, you need to know only a single secret shared between you and your server. On login to the site, your Kerberos client (on your client computer, or on the web browser on your mobile phone, for example) first requests authentication information from the site's Kerberos server. Once the server sends the response to your client, the client exchanges that response with the client computer's or mobile phone's Kerberos credentials database (if it exists), which validates the user's credentials, and then logs you in to the system.

Kerberos has been widely implemented by various vendors' products, including many mainstream browsers and network protocols. If your computer is running any Unix-like operating system, you probably already have Kerberos installed.

The most important thing to remember about Kerberos is this: you always need a Kerberos server to authenticate your user sessions. Kerberos does not provide a way to verify an individual user's identity; it merely provides a way to authenticate the connection between two parties (the client and the server) and the session data on that connection.

In a Kerberos realm (a collection of sites connected by Kerberos), you will typically have a central Kerberos server responsible for registering site clients and mapping their Kerberos principals to local host names (or IP addresses, but we'll get into that later).