Re: [fossil-users] Fossil clone over SSH

Fri, 15 Aug 2014 14:02:54 -0700 

On 8/15/2014 07:14, Abilio Marques wrote:


Cloning over ssh seems to be impossible if the user nobody doesn't have
cloning permissions.



I successfully cloned a repo over SSH where Nobody only has "read wiki" 
and "read ticket" direct permissions, and inherits no other privileges. 
 I did this with Fossil tip, from a few days ago.  Perhaps Fossil's 
behavior has changed since the version you have?



I noticed that I had to give two slashes in the URL to address an 
absolute path:


    fossil clone ssh://fossilserver//museum/repo.fossil myrepo.fossil


Apparently with only one slash before "museum" in this URL, it looks for 
"museum/repo.fossil" relative to my home directory.



If the slashes aren't the issue, please post your Fossil version and the 
errors you get.



is there any security risk involved with
giving 'nobody' the chance to clone? Lets say I keep a fossil server
running all the time too. I believe there is not, but maybe I'm mistaken...


This page covers the main worry, the user table:

    http://fossil-scm.org/index.html/doc/trunk/www/password.wiki


What it doesn't tell you is that the user names and password hashes are 
included in every clone!



The passwords are semi-salted and hashed, which makes a rainbow table 
attack impractical.  But, it doesn't save you from a brute force attack 
if you have weak passwords, up to about 10 characters.  The actual 
length depends on how well funded your opponent is.



I say semi-salted because proper salting uses a nonce, not info you can 
find elsewhere.  (Ideally here, another SHA-1 blob derived from 
/dev/random or similar.)  Nevertheless, the fact that you can find the 
elements used for the salt doesn't change the fact that rainbow table 
generation is effectively the same thing as brute force in the case of 
Fossil's user table.


So, use strong passwords.


If Fossil ever does change its password system again, it should move to 
properly salted passwords and a key derivation function.[1]  E.g. 
bcrypt, scrypt, PBKDF2...  That would greatly relax the minimum safe 
password length.



[1]  https://en.wikipedia.org/wiki/Key_derivation_function

_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users






















					Reply via email to