On Jan 9, 2010, at 11:04 AM, Ron Aaron wrote:
> I didn't see an option, perhaps it's not even on the list of
> requests... but
> when I look at the 'user' table, the user's password is stored in
> Having my fossil file on a shared server, this makes me a bit
> nervous. Anyone
> who has access to that file can read all the user passwords.
> It would be trivial to change the password stored to sha1(login
> +pw). In that
> case it would also be difficult to hack, since different users with
> the same
> password would have wildly different values saved in the user table.
OK. Beginning with http://www.fossil-scm.org/fossil/ci/cfe33dcf92
Fossil will store passwords on servers as either cleartext or as a
SHA1 hash of the password. It tells the difference by looking at the
length of the password. A password in the USER table that is exactly
40 characters long is assumed to be a SHA1 hash. Otherwise, the
password is assumed to be cleartext.
Whenever you change a password, the new password is stored as the SHA1
hash. When you create new users, the password is stored as the SHA1
hash. There is no mechanism to force the password to be cleartext.
You can force all cleartext passwords to become SHA1 hashes using this
fossil test-hash-password REPOSITORY
Converting from cleartext to SHA1 hash is irreversible, of course.
The client always uses the SHA1 hash as the shared secret, unless the
password for a sync operation begins with '*'. If the password for a
sync begins with '*', then the characters after the '*' are taken to
be the cleartext password used as the shared secret. This allows
newer clients to communicate with legacy servers that do not know
about the password format change. If you have a new fossil client
and you want to sync against a legacy server, do it this way:
fossil sync http://userid:****@legacy-server.com/
The new server accepts both the cleartext passwords and the SHA1 has
as the shared secret, assuming the cleartext is stored in the USER
table. That means that newer servers will work with older clients as
long as you do not update the USER table to store hashes. Once a hash
is stored in the USER table, the sync protocol will only work with
So, older clients will work with newer servers as long as cleartext
passwords are stored in the USER table, and older servers will work
with newer clients by adding '*' before the password in the URL.
The simplest upgrade path is probably just to upgrade all clients and
servers all at once.
The second simplest upgrade path is:
(1) Upgrade servers, but do not modify the USER table.
(2) Start upgrading clients.
(3) After all clients are upgraded, run [fossil test-hash-password] to
convert the USER table to use hashes instead of cleartext.
I have not yet done step (1) on the server that runs www.fossil-
scm.org. I'll do that after additional testing and after you, gentle
readers, have reviewed my changes and informed me that my changes are
free of new security boo-boos. I eagerly await the results of your
D. Richard Hipp