The CRAM-MD5 is a widely used, but officially deprecated (apparently in favor of DIGEST-MD5), challenge-response mechanism that transfers hashed passwords instead of clear text passwords. For insecure channels (e.g., when TLS is not used), it is safer than PLAIN. The CRAM-MD5 mechanism does not support authorization identities; making the relationship between CRAM-MD5 and DIGEST-MD5 similar to the relationship between LOGIN and PLAIN.
The disadvantage with hashed passwords is that the server cannot use normal authentication infrastructures such as PAM, because the server must have access to the correct password in order to validate an authentication attempt.
In the client, this mechanism is always enabled, and it requires the
GSASL_AUTHID
and GSASL_PASSWORD
properties.
In the server, the mechanism will require the GSASL_PASSWORD
callback property, which may use the GSASL_AUTHID
property to
determine which users' password should be used. The
GSASL_AUTHID
will be in normalized form. The server will then
normalize the returned password, and compare the client response with
the computed correct response, and accept the user accordingly.
See Use of SASLprep in CRAM-MD5, for a clarification on the interpretation of the CRAM-MD5 specification that this implementation rely on.