The fact is that
>>>
CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0"
False
because the stored hashed password depends on the salt but also on the key
stores in private/auth.key and I do not know what that is.
On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote:
>
> Sure, Niphlod. I didn't see your post before i posted my comment about my
> local ubuntu machine which seems to behave like my local windows machine.
>
> 1. can we see how auth is istantiated in your app ?
>
> In db.py
> from gluon.tools import Auth, Crud, Service, PluginManager, prettydate
> auth = Auth(db, hmac_key=Auth.get_or_create_key())
>
> 2. can you pass us the database (or just one of the auth_user records
> along with the "unencrypted password")
>
> Here's part of the csv export from webfaction. This is the entry that is
> awaiting approval. I have no problem giving this out because it is a dummy
> that i created to test approval.
>
> auth_user.id
> ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id
> 5,New,Person,[email protected] <javascript:>
> ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,,
>
> Here's the unencrypted pw: NewFish04pw
>
> Thanks for the help, Niphlod.
>
> Love and peace,
>
> Joe
>
>
> On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote:
>>
>> Thanks Joe...
>> 1. can we see how auth is istantiated in your app ?
>> 2. can you pass us the database (or just one of the auth_user records
>> along with the "unencrypted password")
>>
>> With those, we could easily reproduce the behaviour (i.e. trying to login
>> in the app with the password with exactly your auth_user records) and see
>> what is going on....
>>
>> On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote:
>>>
>>> Hi Niphlod,
>>>
>>> Here is my report on your suggestion:
>>>
>>>> BTW3: to pass around an app just log into admin and hit "create
>>>> package" (or tar.gz the entire applications/myapp folder and load it
>>>> locally with "upload package")
>>>
>>> On webfaction-web2py-admin:
>>> for myapp clicked the "Pack all" button & downloaded
>>> "web2py.app.myapp.w2p" to myLocalMachine
>>> On myLocalMachine in web2py-admin :
>>>
>>> 1. deleted myapp
>>> 2. in Upload and install packed application:
>>> 1. Application name: myapp
>>> 2. Upload a package: path-to/ web2py.app.myapp.w2p
>>> 3. Or Get from URL: <LEFT BLANK>
>>> 4. [ ] Overwrite installed app # left this checkbox
>>> UNCHECKED
>>> 5. Clicked "Install"
>>> 6. Flash said: application myapp installed with md5sum:
>>> 7632e93e985802371a0071a4daca49c7
>>>
>>> TO TEST
>>> 1. Tried logging in with all 4 {email, pw} sets that work on webfaction:
>>> RESULT:
>>> myLocalMachine COULD NOT LOGIN - returning to the login page without
>>> comment.
>>> webfaction LOGINS JUST FINE
>>> 2. There is one user on webfaction waiting registration approval.
>>> Testing that {email,pw} RESULT
>>> myLocalMachine COULD NOT LOGIN - returning to the login page without
>>> comment.
>>> webfaction FLASH RESPONSE - "Registration is pending
>>> approval"
>>> 3. Inspecting myLocalMachine in Database Administration RESULT:
>>> a. all 5 of the users on webfaction are also on myLocalMachine
>>> b. all 5 of the users on myLocalMachine have passwords that begin
>>> with "pbkdf2(1000,20,sha512)$"
>>> 4. On myLocalMachine in Database Administration,
>>> a. I click [ insert new auth_user ] and insert
>>> First name: local
>>> Last name: user
>>> E-mail: [email protected]
>>> Password: localuserpw
>>> Registration key: none
>>> Reset Password key: none
>>> Registration identifier: none
>>> b. RESULTS:
>>> 1. flash response: new record inserted
>>> 2. Password for [email protected] begins with
>>> "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post.
>>> 3. On myLocalMachine, when i try to login with { [email protected],
>>> localuserpw} - COULD NOT LOGIN
>>> - it returned to the login page without comment.
>>>
>>> OK so I think I still need some help with "fix"ing CRYPT differences
>>> between Windows and Linux.
>>>
>>> Thanks in advance.
>>>
>>> Love and peace,
>>>
>>> Joe
>>>
>>> On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote:
>>>>
>>>> Dear Niphlod,
>>>>
>>>> Thanks for the reply.
>>>>
>>>> appadmin.py ships with the application, so if you really copied the
>>>>> "controllers" folder you'd have the same file.
>>>>
>>>> Of course you are right. I only copied the files i [thought i] had
>>>> changed. That's why i was surprised to find that
>>>> appadmin.py.windows != appadmin.py.linux
>>>>
>>>> BTW, pbkdf2 was introduced ~2 months ago
>>>>>
>>>> I created myapp on the Linux [webfaction] machine yesterday. I tried to
>>>> copy it to my Windows [home] machine today.
>>>>
>>>> BTW2: if you copied an app that used the sha512 algo an tried to load
>>>>> it into a *newer* web2py release...
>>>>
>>>> I am trying to copy myapp FROM the Linux [webfaction] machine TO my
>>>> Windows [home] machine. When I created myapp on the Linux machine, I
>>>> created a myapp using the "New simple application create" function. I
>>>> never
>>>> [to my knowledge] altered anything related to CRYPT. So i believe the
>>>> pbkdf2 algo was generated at app creation time on the Linux [webfaction]
>>>> machine.
>>>>
>>>> BTW3: to pass around an app just ...
>>>>
>>>> Thanks BIG TIME for this. I will try these suggestions.
>>>>
>>>> BTW4: I seem to recall that very old python calculated hashes
>>>>> differently.
>>>>
>>>> I am using python 2.7 on BOTH the Windows and Linux machines.
>>>>
>>>> Thanks for the responses, Niphlod. I'll report back after trying BTW3.
>>>>
>>>> Thanks again, Niphlod.
>>>>
>>>> Love and peace,
>>>>
>>>> Joe
>>>>
>>>>
>>>> On Thursday, December 6, 2012 12:19:40 PM UTC-8, Niphlod wrote:
>>>>>
>>>>> appadmin.py ships with the application, so if you really copied the
>>>>> "controllers" folder you'd have the same file.
>>>>> BTW, pbkdf2 was introduced ~2 months ago.
>>>>> BTW2: if you copied an app that used the sha512 algo an tried to load
>>>>> it into a *newer* web2py release, as soon as the user entered the
>>>>> password would be updated to the pbkdf2 algo (unless you were using some
>>>>> explicit IS_CRYPT() validator or the auth_key param on auth, I think).
>>>>> BTW3: to pass around an app just log into admin and hit "create
>>>>> package" (or tar.gz the entire applications/myapp folder and load it
>>>>> locally with "upload package")
>>>>> BTW4: I seem to recall that very old python calculated hashes
>>>>> differently. However, it would not be the case unless BTW2 (some fixed
>>>>> auth_key in auth instantiation or explicit IS_CRYPT() validator)
>>>>>
>>>>>
--
