You should not publish your key.
What I am saying is that as online as your key is the same used to create
the hashes, the CRYPT validators should do the right job.
If you want your dev app and production to share data, they must share the
same key.
Another option is not using the key at all. The web web2py salts all
passwords. The global key adds an extra layer of security but it is no
longer as important as it used to be when salting was not done. In fact the
new welcome no longer creates auth.key.
This makes it easier sharing salted passwords between different
installations of web2py apps.
On Monday, 10 December 2012 13:26:55 UTC-6, JoeCodeswell wrote:
>
> Thanks for the response, Massimo.
>
> I have the auth.key. However, I am a bit concerned about publishing it
> here since I have potential clients that are looking at myapp on webfaction
> right now. I am concerned about what i have already published. What do you
> suggest I do?
>
> Thanks in advance.
>
> Love and peace,
>
> Joe
>
> On Saturday, December 8, 2012 2:41:52 PM UTC-8, Massimo Di Pierro wrote:
>>
>> The fact is that
>>
>> >>>
>> CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0"
>> False
>>
>> because the stored hashed password depends on the salt but also on the
>> key stores in private/auth.key and I do not know what that is.
>>
>> On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote:
>>>
>>> Sure, Niphlod. I didn't see your post before i posted my comment about
>>> my local ubuntu machine which seems to behave like my local windows machine.
>>>
>>> 1. can we see how auth is istantiated in your app ?
>>>
>>> In db.py
>>> from gluon.tools import Auth, Crud, Service, PluginManager, prettydate
>>> auth = Auth(db, hmac_key=Auth.get_or_create_key())
>>>
>>> 2. can you pass us the database (or just one of the auth_user records
>>> along with the "unencrypted password")
>>>
>>> Here's part of the csv export from webfaction. This is the entry that is
>>> awaiting approval. I have no problem giving this out because it is a dummy
>>> that i created to test approval.
>>>
>>> auth_user.id
>>> ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id
>>> 5,New,Person,[email protected]
>>> ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,,
>>>
>>> Here's the unencrypted pw: NewFish04pw
>>>
>>> Thanks for the help, Niphlod.
>>>
>>> Love and peace,
>>>
>>> Joe
>>>
>>>
>>> On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote:
>>>>
>>>> Thanks Joe...
>>>> 1. can we see how auth is istantiated in your app ?
>>>> 2. can you pass us the database (or just one of the auth_user records
>>>> along with the "unencrypted password")
>>>>
>>>> With those, we could easily reproduce the behaviour (i.e. trying to
>>>> login in the app with the password with exactly your auth_user records)
>>>> and
>>>> see what is going on....
>>>>
>>>> On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote:
>>>>>
>>>>> Hi Niphlod,
>>>>>
>>>>> Here is my report on your suggestion:
>>>>>
>>>>>> BTW3: to pass around an app just log into admin and hit "create
>>>>>> package" (or tar.gz the entire applications/myapp folder and load it
>>>>>> locally with "upload package")
>>>>>
>>>>> On webfaction-web2py-admin:
>>>>> for myapp clicked the "Pack all" button & downloaded
>>>>> "web2py.app.myapp.w2p" to myLocalMachine
>>>>> On myLocalMachine in web2py-admin :
>>>>>
>>>>> 1. deleted myapp
>>>>> 2. in Upload and install packed application:
>>>>> 1. Application name: myapp
>>>>> 2. Upload a package: path-to/ web2py.app.myapp.w2p
>>>>> 3. Or Get from URL: <LEFT BLANK>
>>>>> 4. [ ] Overwrite installed app # left this checkbox
>>>>> UNCHECKED
>>>>> 5. Clicked "Install"
>>>>> 6. Flash said: application myapp installed with md5sum:
>>>>> 7632e93e985802371a0071a4daca49c7
>>>>>
>>>>> TO TEST
>>>>> 1. Tried logging in with all 4 {email, pw} sets that work on
>>>>> webfaction: RESULT:
>>>>> myLocalMachine COULD NOT LOGIN - returning to the login page
>>>>> without comment.
>>>>> webfaction LOGINS JUST FINE
>>>>> 2. There is one user on webfaction waiting registration approval.
>>>>> Testing that {email,pw} RESULT
>>>>> myLocalMachine COULD NOT LOGIN - returning to the login page
>>>>> without comment.
>>>>> webfaction FLASH RESPONSE - "Registration is pending
>>>>> approval"
>>>>> 3. Inspecting myLocalMachine in Database Administration RESULT:
>>>>> a. all 5 of the users on webfaction are also on myLocalMachine
>>>>> b. all 5 of the users on myLocalMachine have passwords that begin
>>>>> with "pbkdf2(1000,20,sha512)$"
>>>>> 4. On myLocalMachine in Database Administration,
>>>>> a. I click [ insert new auth_user ] and insert
>>>>> First name: local
>>>>> Last name: user
>>>>> E-mail: [email protected]
>>>>> Password: localuserpw
>>>>> Registration key: none
>>>>> Reset Password key: none
>>>>> Registration identifier: none
>>>>> b. RESULTS:
>>>>> 1. flash response: new record inserted
>>>>> 2. Password for [email protected] begins with
>>>>> "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post.
>>>>> 3. On myLocalMachine, when i try to login with {
>>>>> [email protected], localuserpw} - COULD NOT LOGIN
>>>>> - it returned to the login page without comment.
>>>>>
>>>>> OK so I think I still need some help with "fix"ing CRYPT differences
>>>>> between Windows and Linux.
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>> Love and peace,
>>>>>
>>>>> Joe
>>>>>
>>>>> On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote:
>>>>>>
>>>>>> Dear Niphlod,
>>>>>>
>>>>>> Thanks for the reply.
>>>>>>
>>>>>> appadmin.py ships with the application, so if you really copied the
>>>>>>> "controllers" folder you'd have the same file.
>>>>>>
>>>>>> Of course you are right. I only copied the files i [thought i] had
>>>>>> changed. That's why i was surprised to find that
>>>>>> appadmin.py.windows != appadmin.py.linux
>>>>>>
>>>>>> BTW, pbkdf2 was introduced ~2 months ago
>>>>>>>
>>>>>> I created myapp on the Linux [webfaction] machine yesterday. I tried
>>>>>> to copy it to my Windows [home] machine today.
>>>>>>
>>>>>> BTW2: if you copied an app that used the sha512 algo an tried to load
>>>>>>> it into a *newer* web2py release...
>>>>>>
>>>>>> I am trying to copy myapp FROM the Linux [webfaction] machine TO my
>>>>>> Windows [home] machine. When I created myapp on the Linux machine, I
>>>>>> created a myapp using the "New simple application create" function. I
>>>>>> never
>>>>>> [to my knowledge] altered anything related to CRYPT. So i believe the
>>>>>> pbkdf2 algo was generated at app creation time on the Linux [webfaction]
>>>>>> machine.
>>>>>>
>>>>>> BTW3: to pass around an app just ...
>>>>>>
>>>>>> Thanks BIG TIME for this. I will try these suggestions.
>>>>>>
>>>>>> BTW4: I seem to recall that very old python calculated hashes
>>>>>>> differently.
>>>>>>
>>>>>> I am using python 2.7 on BOTH the Windows and Linux machines.
>>>>>>
>>>>>> Thanks for the responses, Niphlod. I'll report back after trying BTW3.
>>>>>>
>>>>>> Thanks again, Niphlod.
>>>>>>
>>>>>> Love and peace,
>>>>>>
>>>>>> Joe
>>>>>>
>>>>>>
>>>>>> On Thursday, December 6, 2012 12:19:40 PM UTC-8, Niphlod wrote:
>>>>>>>
>>>>>>> appadmin.py ships with the application, so if you really copied the
>>>>>>> "controllers" folder you'd have the same file.
>>>>>>> BTW, pbkdf2 was introduced ~2 months ago.
>>>>>>> BTW2: if you copied an app that used the sha512 algo an tried to
>>>>>>> load it into a *newer* web2py release, as soon as the user entered
>>>>>>> the password would be updated to the pbkdf2 algo (unless you were using
>>>>>>> some explicit IS_CRYPT() validator or the auth_key param on auth, I
>>>>>>> think).
>>>>>>> BTW3: to pass around an app just log into admin and hit "create
>>>>>>> package" (or tar.gz the entire applications/myapp folder and load it
>>>>>>> locally with "upload package")
>>>>>>> BTW4: I seem to recall that very old python calculated hashes
>>>>>>> differently. However, it would not be the case unless BTW2 (some fixed
>>>>>>> auth_key in auth instantiation or explicit IS_CRYPT() validator)
>>>>>>>
>>>>>>>
--
