Fossil admin password

When cloning a repository with the Fossil SCM, the fossil command-line tool outputs something along these lines:

admin-user: quentin (password is "1fa55b")

I wondered whether I needed to note down yet another password, and what it was required for. So I googled a bit, and it turns out (from the Password Management page in the Fossil documentation) this password is used by the repository’s web interface and the Fossil sync protocol.

My Fossil version stores it in cleartext in the repository database, meaning it can easily be retrieved from the command line:

$ fossil version
This is fossil version 1.27 [13ad130920] 2013-09-11 11:43:49 UTC
$ sqlite3 repo.fossil
sqlite> .schema user
CREATE TABLE user(
  uid INTEGER PRIMARY KEY,
  login TEXT UNIQUE,
  pw TEXT,
  cap TEXT,
  cookie TEXT,
  ipaddr TEXT,
  cexpire DATETIME,
  info TEXT,
  mtime DATE,
  photo BLOB
);
sqlite> SELECT login,pw,info FROM user;                -- Whole user table:
quentin|1fa55b|
anonymous|F463AD50A48DE1C2|Anon
nobody||Nobody
developer||Dev
reader||Reader
sqlite> SELECT pw FROM user WHERE login='quentin';     -- More targeted query:
1fa55b

Future versions of Fossil may no longer store the credentials as plain text, but rather as 40-character SHA1 hashes. Retrieving the password would then no longer be possible. However it could still be reset:

$ sqlite3 repo.fossil
sqlite> UPDATE user SET pw='some-cleartext-password' WHERE login='quentin';
$ fossil test-hash-passwords repo.fossil     # Convert to SHA1-hashed passwords again

Note that the cleartext password must NOT be 40 characters long so as not to be mistaken for a (most likely invalid) password hash.

Bonus: The project-code Fossil uses to generate its hash is given by the fossil info command. It is also printed when cloning a repository.

One thought on “Fossil admin password

Leave a Reply

Your email address will not be published. Required fields are marked *