Option to set unhashed password in config.xml

quater · September 12, 2017, 6:15pm

This topic is about making a case so that a currently present feature will not be removed from Syncthing in the future.

This article refers to the GitHub issue Option to set unhashed password in config.xml · Issue #931 · syncthing/syncthing · GitHub, where Jakob Borg mentioned that this feature cited: “might go away at any time”.

Use Case: When doing automatic Syncthing deployments, it makes sense to configure Syncthing GUI user and password automatically too. The way this normally works with configuration management is that passwords are stored in an encrypted key store (e.g. Ansible vault, Hashicorp vault or the like). During the deployment, those secrets are retrieved from the vault and securely transferred to the target machine where configuration takes place. In case of Syncthing, it is not feasible to work with the password hash since the hash will only work on a particular machine. Deploying a new instance of Syncthing renders a previously obtained password hash as useless. In the light of this it makes sense when Syncthing continuous to allow a clear text password to be inserted into the config.xml. As of version 0.14.37, this clear text password gets converted to a hash on Syncthing restart. With automated deployment, this clear text password only lives there for a millisecond.

So please do not remove this feature from Syncthing in the future!

PS: Unless there is an API to configure the password.

calmh · September 12, 2017, 6:56pm

You’re late to the game. We removed handling plaintext passwords in 0.12.0 all of two years ago. The issue you quote is three years old.

You can of course post the password via the API. This is what happens when you set it in the GUI.

The password hash is definitely not machine specific. You can move it around as you please.

quater · September 12, 2017, 7:14pm

Thank you for the response and clarification. Based on your feedback I realized there is an API… I will use that for setting the password now.

However I am a bit confused as you stated it was all removed about two years ago. When I provide a clear text password in the config.xml, it replaces it with its corresponding hash. Though, this only works once when doing it the very first time. When I re-run my deployment to change the password in the config.xml, it never again tries to convert it to a hash.

calmh · September 12, 2017, 8:01pm

It doesn’t do that for me, not sure what you’re seeing really.