On Sat, Feb 1, 2014 at 1:29 PM, Andy Bradford <amb-fos...@bradfords.org>wrote:
> Thus said "Andy Bradford" on 01 Feb 2014 10:04:23 -0700: > > > Thus said Kevin Martin on Sat, 01 Feb 2014 09:14:20 +0000: > > > > > How does fossil authenticate with a server, does it send the > > > password plaintext? HTTP Basic Auth does! > > > > It's not encrypted, no, only base64 encoded. > > It seems I misunderstood what Mr. Martin was asking here. Fossil uses a > nonce and the password and sends only the SHA1 hash across the wire: > > http://www.fossil-scm.org/index.html/doc/trunk/www/password.wiki > There are some caveats mentioned in the documentAndy linked to, that you should pay attention to: 1. When a user logs into Fossil using the web interface, the login name and password are sent in the clear to the server. 2. If the USER.PW on the server holds a cleartext password, then the server will also accept a login-card signature that is constructed using either the cleartext password .... The second item relates to compatability with older clients. Although it is unlikely anyone is still using Fossil versions that old (older than 010-01-11<http://www.fossil-scm.org/index.html/timeline?c=2010-01-10+20:56:30>), an old enough repository could possibly have cleartext passwords, so I would recomend converting the passwords as described in the document. Also, from reading the description of the sync protocol, I'm not sure how safe the nounce is. The calculation appears to not make use of the current time nor other value reasonably unique to the session.
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
