When cloning a repository with the Fossil SCM, the fossil command-line tool outputs something along these lines:
admin-user: quentin (password is "1fa55b")
I wondered whether I needed to note down yet another password, and what it was required for. So I googled a bit, and it turns out (from the Password Management page in the Fossil documentation) this password is used by the repository’s web interface and the Fossil sync protocol.
My Fossil version stores it in cleartext in the repository database, meaning it can easily be retrieved from the command line:
$ fossil version This is fossil version 1.27 [13ad130920] 2013-09-11 11:43:49 UTC $ sqlite3 repo.fossil sqlite> .schema user CREATE TABLE user( uid INTEGER PRIMARY KEY, login TEXT UNIQUE, pw TEXT, cap TEXT, cookie TEXT, ipaddr TEXT, cexpire DATETIME, info TEXT, mtime DATE, photo BLOB ); sqlite> SELECT login,pw,info FROM user; -- Whole user table: quentin|1fa55b| anonymous|F463AD50A48DE1C2|Anon nobody||Nobody developer||Dev reader||Reader sqlite> SELECT pw FROM user WHERE login='quentin'; -- More targeted query: 1fa55b
Future versions of Fossil may no longer store the credentials as plain text, but rather as 40-character SHA1 hashes. Retrieving the password would then no longer be possible. However it could still be reset:
$ sqlite3 repo.fossil sqlite> UPDATE user SET pw='some-cleartext-password' WHERE login='quentin'; $ fossil test-hash-passwords repo.fossil # Convert to SHA1-hashed passwords again
Note that the cleartext password must NOT be 40 characters long so as not to be mistaken for a (most likely invalid) password hash.
Bonus: The project-code Fossil uses to generate its hash is given by the
fossil info command. It is also printed when cloning a repository.