Thanks for the response, Massimo.
I have the auth.key. However, I am a bit concerned about publishing it here
since I have potential clients that are looking at myapp on webfaction
right now. I am concerned about what i have already published. What do you
suggest I do?
Thanks in advance.
Love and peace,
Joe
On Saturday, December 8, 2012 2:41:52 PM UTC-8, Massimo Di Pierro wrote:
>
> The fact is that
>
> >>>
> CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0"
> False
>
> because the stored hashed password depends on the salt but also on the key
> stores in private/auth.key and I do not know what that is.
>
> On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote:
>>
>> Sure, Niphlod. I didn't see your post before i posted my comment about my
>> local ubuntu machine which seems to behave like my local windows machine.
>>
>> 1. can we see how auth is istantiated in your app ?
>>
>> In db.py
>> from gluon.tools import Auth, Crud, Service, PluginManager, prettydate
>> auth = Auth(db, hmac_key=Auth.get_or_create_key())
>>
>> 2. can you pass us the database (or just one of the auth_user records
>> along with the "unencrypted password")
>>
>> Here's part of the csv export from webfaction. This is the entry that is
>> awaiting approval. I have no problem giving this out because it is a dummy
>> that i created to test approval.
>>
>> auth_user.id
>> ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id
>> 5,New,Person,[email protected]
>> ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,,
>>
>> Here's the unencrypted pw: NewFish04pw
>>
>> Thanks for the help, Niphlod.
>>
>> Love and peace,
>>
>> Joe
>>
>>
>> On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote:
>>>
>>> Thanks Joe...
>>> 1. can we see how auth is istantiated in your app ?
>>> 2. can you pass us the database (or just one of the auth_user records
>>> along with the "unencrypted password")
>>>
>>> With those, we could easily reproduce the behaviour (i.e. trying to
>>> login in the app with the password with exactly your auth_user records) and
>>> see what is going on....
>>>
>>> On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote:
>>>>
>>>> Hi Niphlod,
>>>>
>>>> Here is my report on your suggestion:
>>>>
>>>>> BTW3: to pass around an app just log into admin and hit "create
>>>>> package" (or tar.gz the entire applications/myapp folder and load it
>>>>> locally with "upload package")
>>>>
>>>> On webfaction-web2py-admin:
>>>> for myapp clicked the "Pack all" button & downloaded
>>>> "web2py.app.myapp.w2p" to myLocalMachine
>>>> On myLocalMachine in web2py-admin :
>>>>
>>>> 1. deleted myapp
>>>> 2. in Upload and install packed application:
>>>> 1. Application name: myapp
>>>> 2. Upload a package: path-to/ web2py.app.myapp.w2p
>>>> 3. Or Get from URL: <LEFT BLANK>
>>>> 4. [ ] Overwrite installed app # left this checkbox
>>>> UNCHECKED
>>>> 5. Clicked "Install"
>>>> 6. Flash said: application myapp installed with md5sum:
>>>> 7632e93e985802371a0071a4daca49c7
>>>>
>>>> TO TEST
>>>> 1. Tried logging in with all 4 {email, pw} sets that work on
>>>> webfaction: RESULT:
>>>> myLocalMachine COULD NOT LOGIN - returning to the login page
>>>> without comment.
>>>> webfaction LOGINS JUST FINE
>>>> 2. There is one user on webfaction waiting registration approval.
>>>> Testing that {email,pw} RESULT
>>>> myLocalMachine COULD NOT LOGIN - returning to the login page
>>>> without comment.
>>>> webfaction FLASH RESPONSE - "Registration is pending
>>>> approval"
>>>> 3. Inspecting myLocalMachine in Database Administration RESULT:
>>>> a. all 5 of the users on webfaction are also on myLocalMachine
>>>> b. all 5 of the users on myLocalMachine have passwords that begin
>>>> with "pbkdf2(1000,20,sha512)$"
>>>> 4. On myLocalMachine in Database Administration,
>>>> a. I click [ insert new auth_user ] and insert
>>>> First name: local
>>>> Last name: user
>>>> E-mail: [email protected]
>>>> Password: localuserpw
>>>> Registration key: none
>>>> Reset Password key: none
>>>> Registration identifier: none
>>>> b. RESULTS:
>>>> 1. flash response: new record inserted
>>>> 2. Password for [email protected] begins with
>>>> "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post.
>>>> 3. On myLocalMachine, when i try to login with { [email protected],
>>>> localuserpw} - COULD NOT LOGIN
>>>> - it returned to the login page without comment.
>>>>
>>>> OK so I think I still need some help with "fix"ing CRYPT differences
>>>> between Windows and Linux.
>>>>
>>>> Thanks in advance.
>>>>
>>>> Love and peace,
>>>>
>>>> Joe
>>>>
>>>> On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote:
>>>>>
>>>>> Dear Niphlod,
>>>>>
>>>>> Thanks for the reply.
>>>>>
>>>>> appadmin.py ships with the application, so if you really copied the
>>>>>> "controllers" folder you'd have the same file.
>>>>>
>>>>> Of course you are right. I only copied the files i [thought i] had
>>>>> changed. That's why i was surprised to find that
>>>>> appadmin.py.windows != appadmin.py.linux
>>>>>
>>>>> BTW, pbkdf2 was introduced ~2 months ago
>>>>>>
>>>>> I created myapp on the Linux [webfaction] machine yesterday. I tried
>>>>> to copy it to my Windows [home] machine today.
>>>>>
>>>>> BTW2: if you copied an app that used the sha512 algo an tried to load
>>>>>> it into a *newer* web2py release...
>>>>>
>>>>> I am trying to copy myapp FROM the Linux [webfaction] machine TO my
>>>>> Windows [home] machine. When I created myapp on the Linux machine, I
>>>>> created a myapp using the "New simple application create" function. I
>>>>> never
>>>>> [to my knowledge] altered anything related to CRYPT. So i believe the
>>>>> pbkdf2 algo was generated at app creation time on the Linux [webfaction]
>>>>> machine.
>>>>>
>>>>> BTW3: to pass around an app just ...
>>>>>
>>>>> Thanks BIG TIME for this. I will try these suggestions.
>>>>>
>>>>> BTW4: I seem to recall that very old python calculated hashes
>>>>>> differently.
>>>>>
>>>>> I am using python 2.7 on BOTH the Windows and Linux machines.
>>>>>
>>>>> Thanks for the responses, Niphlod. I'll report back after trying BTW3.
>>>>>
>>>>> Thanks again, Niphlod.
>>>>>
>>>>> Love and peace,
>>>>>
>>>>> Joe
>>>>>
>>>>>
>>>>> On Thursday, December 6, 2012 12:19:40 PM UTC-8, Niphlod wrote:
>>>>>>
>>>>>> appadmin.py ships with the application, so if you really copied the
>>>>>> "controllers" folder you'd have the same file.
>>>>>> BTW, pbkdf2 was introduced ~2 months ago.
>>>>>> BTW2: if you copied an app that used the sha512 algo an tried to load
>>>>>> it into a *newer* web2py release, as soon as the user entered the
>>>>>> password would be updated to the pbkdf2 algo (unless you were using some
>>>>>> explicit IS_CRYPT() validator or the auth_key param on auth, I think).
>>>>>> BTW3: to pass around an app just log into admin and hit "create
>>>>>> package" (or tar.gz the entire applications/myapp folder and load it
>>>>>> locally with "upload package")
>>>>>> BTW4: I seem to recall that very old python calculated hashes
>>>>>> differently. However, it would not be the case unless BTW2 (some fixed
>>>>>> auth_key in auth instantiation or explicit IS_CRYPT() validator)
>>>>>>
>>>>>>
--
