Current Cyrus libsasl2 packaging (Ubuntu Jammy) distributes SASL bind mechanims into different packages. Plained and shared secret mechanisms are provided by package libsasl2-modules:
/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so
/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so
/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so
/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so
/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2
/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so
/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libplain.so
/usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25
The "safest" mechanism in this list is DIGEST-MD5, which is marked as obsolete by IANA and regarded as unsafe by IETF. Current safest standard mechanisms are SCRAM based (RFC7677).
All SCRAM family SASL mechanisms of Cyrus SASL are provided by Ubuntu package libsasl2-modules-gssapi-mit:
/usr/lib/x86_64-linux-gnu/sasl2/libscram.so
/usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2.0.25
But the focus of this package is GSSAPI and GS2 SASL mechanism, which have nothing to do with SCRAM. In addition, this package conflicts with package libsasl2-modules-gssapi-heimdal. System administrators have to choose one package for support of GSSAPI or GSS-SPEGNO. If they prefer Heimdal there is no safe SASL shared secret mechanism available anymore on the server/workstation.
Current Cyrus libsasl2 packaging (Ubuntu Jammy) distributes SASL bind mechanims into different packages. Plained and shared secret mechanisms are provided by package libsasl2-modules: x86_64- linux-gnu/ sasl2/libanonym ous.so x86_64- linux-gnu/ sasl2/libanonym ous.so. 2 x86_64- linux-gnu/ sasl2/libanonym ous.so. 2.0.25 x86_64- linux-gnu/ sasl2/libcrammd 5.so x86_64- linux-gnu/ sasl2/libcrammd 5.so.2 x86_64- linux-gnu/ sasl2/libcrammd 5.so.2. 0.25 x86_64- linux-gnu/ sasl2/libdigest md5.so x86_64- linux-gnu/ sasl2/libdigest md5.so. 2 x86_64- linux-gnu/ sasl2/libdigest md5.so. 2.0.25 x86_64- linux-gnu/ sasl2/liblogin. so x86_64- linux-gnu/ sasl2/liblogin. so.2 x86_64- linux-gnu/ sasl2/liblogin. so.2.0. 25 x86_64- linux-gnu/ sasl2/libntlm. so x86_64- linux-gnu/ sasl2/libntlm. so.2 x86_64- linux-gnu/ sasl2/libntlm. so.2.0. 25 x86_64- linux-gnu/ sasl2/libplain. so x86_64- linux-gnu/ sasl2/libplain. so.2 x86_64- linux-gnu/ sasl2/libplain. so.2.0. 25
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
The "safest" mechanism in this list is DIGEST-MD5, which is marked as obsolete by IANA and regarded as unsafe by IETF. Current safest standard mechanisms are SCRAM based (RFC7677).
All SCRAM family SASL mechanisms of Cyrus SASL are provided by Ubuntu package libsasl2- modules- gssapi- mit: x86_64- linux-gnu/ sasl2/libscram. so x86_64- linux-gnu/ sasl2/libscram. so.2 x86_64- linux-gnu/ sasl2/libscram. so.2.0. 25
/usr/lib/
/usr/lib/
/usr/lib/
But the focus of this package is GSSAPI and GS2 SASL mechanism, which have nothing to do with SCRAM. In addition, this package conflicts with package libsasl2- modules- gssapi- heimdal. System administrators have to choose one package for support of GSSAPI or GSS-SPEGNO. If they prefer Heimdal there is no safe SASL shared secret mechanism available anymore on the server/workstation.