Fossil SCM
Documentation on FOSSIL_SECURITY_LEVEL.
Commit
2b964533da914f5e394d4c3c1903ea011390798a
Parent
d064213b905d50e…
1 file changed
+26
+26
| --- www/encryptedrepos.wiki | ||
| +++ www/encryptedrepos.wiki | ||
| @@ -38,6 +38,32 @@ | ||
| 38 | 38 | command which prompts for the password just once, then reuses it for each |
| 39 | 39 | subsequent Fossil command entered at the prompt. |
| 40 | 40 | <p> |
| 41 | 41 | On Windows, the "fossil server", "fossil ui", and "fossil shell" commands do not |
| 42 | 42 | (currently) work on an encrypted repository. |
| 43 | +</blockquote> | |
| 44 | +<h2>Additional Security</h2><blockquote> | |
| 45 | +Use the FOSSIL_SECURITY_LEVEL environment for additional protection. | |
| 46 | +<blockquote><pre> | |
| 47 | +export FOSSIL_SECURITY_LEVEL=1 | |
| 48 | +</pre></blockquote> | |
| 49 | +A setting of 1 or greater | |
| 50 | +prevents fossil from trying to remember the previous sync password. Setting | |
| 51 | +<blockquote><pre> | |
| 52 | +export FOSSIL_SECURITY_LEVEL=2 | |
| 53 | +</pre></blockquote> | |
| 54 | +A setting of 2 or greater | |
| 55 | +causes all password prompts to be preceeded by a random translation matrix similar | |
| 56 | +to the following: | |
| 57 | +<blockquote><pre> | |
| 58 | +abcde fghij klmno pqrst uvwyz | |
| 59 | +qresw gjymu dpcoa fhkzv inlbt | |
| 60 | +</pre></blockquote> | |
| 61 | +When entering the password, the user must substitute the letter on the second | |
| 62 | +line that corresponds to the letter on the first line. Uppercase substitutes | |
| 63 | +for uppercase inputs, and lowercase substitutes for lowercase inputs. Letters | |
| 64 | +that are not in the translation matrix (digits, punctuation, and "x") are not | |
| 65 | +modified. For example, given the | |
| 66 | +translation matrix above, if the password is "pilot-9crazy-xube", then the user | |
| 67 | +must type "fmpav-9ekqtb-xirw". This simple substitution cypher helps prevent | |
| 68 | +password capture by keyloggers. | |
| 43 | 69 | </blockquote> |
| 44 | 70 |
| --- www/encryptedrepos.wiki | |
| +++ www/encryptedrepos.wiki | |
| @@ -38,6 +38,32 @@ | |
| 38 | command which prompts for the password just once, then reuses it for each |
| 39 | subsequent Fossil command entered at the prompt. |
| 40 | <p> |
| 41 | On Windows, the "fossil server", "fossil ui", and "fossil shell" commands do not |
| 42 | (currently) work on an encrypted repository. |
| 43 | </blockquote> |
| 44 |
| --- www/encryptedrepos.wiki | |
| +++ www/encryptedrepos.wiki | |
| @@ -38,6 +38,32 @@ | |
| 38 | command which prompts for the password just once, then reuses it for each |
| 39 | subsequent Fossil command entered at the prompt. |
| 40 | <p> |
| 41 | On Windows, the "fossil server", "fossil ui", and "fossil shell" commands do not |
| 42 | (currently) work on an encrypted repository. |
| 43 | </blockquote> |
| 44 | <h2>Additional Security</h2><blockquote> |
| 45 | Use the FOSSIL_SECURITY_LEVEL environment for additional protection. |
| 46 | <blockquote><pre> |
| 47 | export FOSSIL_SECURITY_LEVEL=1 |
| 48 | </pre></blockquote> |
| 49 | A setting of 1 or greater |
| 50 | prevents fossil from trying to remember the previous sync password. Setting |
| 51 | <blockquote><pre> |
| 52 | export FOSSIL_SECURITY_LEVEL=2 |
| 53 | </pre></blockquote> |
| 54 | A setting of 2 or greater |
| 55 | causes all password prompts to be preceeded by a random translation matrix similar |
| 56 | to the following: |
| 57 | <blockquote><pre> |
| 58 | abcde fghij klmno pqrst uvwyz |
| 59 | qresw gjymu dpcoa fhkzv inlbt |
| 60 | </pre></blockquote> |
| 61 | When entering the password, the user must substitute the letter on the second |
| 62 | line that corresponds to the letter on the first line. Uppercase substitutes |
| 63 | for uppercase inputs, and lowercase substitutes for lowercase inputs. Letters |
| 64 | that are not in the translation matrix (digits, punctuation, and "x") are not |
| 65 | modified. For example, given the |
| 66 | translation matrix above, if the password is "pilot-9crazy-xube", then the user |
| 67 | must type "fmpav-9ekqtb-xirw". This simple substitution cypher helps prevent |
| 68 | password capture by keyloggers. |
| 69 | </blockquote> |
| 70 |