Can you try do this on both machines?
$ python web2py.py -S yourappname -M
>>> print db.auth_user.password.validate('dummy')[0]
Do you get the same output? What are the two python version? 32bits or
64bits?
Massimo
On Tuesday, 11 December 2012 11:01:54 UTC-6, JoeCodeswell wrote:
>
> Dear Massimo,
>
> Thanks for the reply.
>
> I just did a diff between the webfaction private/auth.key file and the
> localWindowsMachine private/auth.key file.
> RESULT: *Files Match*.
>
> History::
>
> *Local Windows Machine*
> In response to Niphlod's BTW3 suggestion, which he made on Dec 6 in this
> thread, to copy FROM webfaction TO my local windows machine I:
> 1. on webfaction used "create package"
> 2. on localWindowsMachine used "upload package"
> You can see the details in my response to Niphlod, made on Dec 8 in this
> thread, starting with "Hi Niphlod, Here is my report on your suggestion:".
>
> *Local Ubuntu Machine*
> ALSO, i used the "create package"/"upload package" technique FROM
> webfaction TO my local Ubuntu Machine. It DID NOT WORK. Please see my Dec 8
> post, starting with: "Dear web2py folks, I also have a local ubuntu ...".
>
> So, to me, there still seems to be a problem.
>
> Thanks for your kelp, Massimo.
>
> Love and peace,
>
> Joe
>
> On Monday, December 10, 2012 4:28:50 PM UTC-8, Massimo Di Pierro wrote:
>>
>> You should not publish your key.
>>
>> What I am saying is that as online as your key is the same used to create
>> the hashes, the CRYPT validators should do the right job.
>>
>> If you want your dev app and production to share data, they must share
>> the same key.
>>
>> Another option is not using the key at all. The web web2py salts all
>> passwords. The global key adds an extra layer of security but it is no
>> longer as important as it used to be when salting was not done. In fact the
>> new welcome no longer creates auth.key.
>>
>> This makes it easier sharing salted passwords between different
>> installations of web2py apps.
>>
>>
>> On Monday, 10 December 2012 13:26:55 UTC-6, JoeCodeswell wrote:
>>>
>>> Thanks for the response, Massimo.
>>>
>>> I have the auth.key. However, I am a bit concerned about publishing it
>>> here since I have potential clients that are looking at myapp on webfaction
>>> right now. I am concerned about what i have already published. What do you
>>> suggest I do?
>>>
>>> Thanks in advance.
>>>
>>> Love and peace,
>>>
>>> Joe
>>>
>>> On Saturday, December 8, 2012 2:41:52 PM UTC-8, Massimo Di Pierro wrote:
>>>>
>>>> The fact is that
>>>>
>>>> >>>
>>>> CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0"
>>>> False
>>>>
>>>> because the stored hashed password depends on the salt but also on the
>>>> key stores in private/auth.key and I do not know what that is.
>>>>
>>>> On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote:
>>>>>
>>>>> Sure, Niphlod. I didn't see your post before i posted my comment about
>>>>> my local ubuntu machine which seems to behave like my local windows
>>>>> machine.
>>>>>
>>>>> 1. can we see how auth is istantiated in your app ?
>>>>>
>>>>> In db.py
>>>>> from gluon.tools import Auth, Crud, Service, PluginManager, prettydate
>>>>> auth = Auth(db, hmac_key=Auth.get_or_create_key())
>>>>>
>>>>> 2. can you pass us the database (or just one of the auth_user records
>>>>> along with the "unencrypted password")
>>>>>
>>>>> Here's part of the csv export from webfaction. This is the entry that
>>>>> is awaiting approval. I have no problem giving this out because it is a
>>>>> dummy that i created to test approval.
>>>>>
>>>>> auth_user.id
>>>>> ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id
>>>>> 5,New,Person,[email protected]
>>>>> ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,,
>>>>>
>>>>> Here's the unencrypted pw: NewFish04pw
>>>>>
>>>>> Thanks for the help, Niphlod.
>>>>>
>>>>> Love and peace,
>>>>>
>>>>> Joe
>>>>>
>>>>>
>>>>> On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote:
>>>>>>
>>>>>> Thanks Joe...
>>>>>> 1. can we see how auth is istantiated in your app ?
>>>>>> 2. can you pass us the database (or just one of the auth_user records
>>>>>> along with the "unencrypted password")
>>>>>>
>>>>>> With those, we could easily reproduce the behaviour (i.e. trying to
>>>>>> login in the app with the password with exactly your auth_user records)
>>>>>> and
>>>>>> see what is going on....
>>>>>>
>>>>>> On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote:
>>>>>>>
>>>>>>> Hi Niphlod,
>>>>>>>
>>>>>>> Here is my report on your suggestion:
>>>>>>>
>>>>>>>> BTW3: to pass around an app just log into admin and hit "create
>>>>>>>> package" (or tar.gz the entire applications/myapp folder and load it
>>>>>>>> locally with "upload package")
>>>>>>>
>>>>>>> On webfaction-web2py-admin:
>>>>>>> for myapp clicked the "Pack all" button & downloaded
>>>>>>> "web2py.app.myapp.w2p" to myLocalMachine
>>>>>>> On myLocalMachine in web2py-admin :
>>>>>>>
>>>>>>> 1. deleted myapp
>>>>>>> 2. in Upload and install packed application:
>>>>>>> 1. Application name: myapp
>>>>>>> 2. Upload a package: path-to/ web2py.app.myapp.w2p
>>>>>>> 3. Or Get from URL: <LEFT BLANK>
>>>>>>> 4. [ ] Overwrite installed app # left this checkbox
>>>>>>> UNCHECKED
>>>>>>> 5. Clicked "Install"
>>>>>>> 6. Flash said: application myapp installed with md5sum:
>>>>>>> 7632e93e985802371a0071a4daca49c7
>>>>>>>
>>>>>>> TO TEST
>>>>>>> 1. Tried logging in with all 4 {email, pw} sets that work on
>>>>>>> webfaction: RESULT:
>>>>>>> myLocalMachine COULD NOT LOGIN - returning to the login page
>>>>>>> without comment.
>>>>>>> webfaction LOGINS JUST FINE
>>>>>>> 2. There is one user on webfaction waiting registration approval.
>>>>>>> Testing that {email,pw} RESULT
>>>>>>> myLocalMachine COULD NOT LOGIN - returning to the login page
>>>>>>> without comment.
>>>>>>> webfaction FLASH RESPONSE - "Registration is pending
>>>>>>> approval"
>>>>>>> 3. Inspecting myLocalMachine in Database Administration RESULT:
>>>>>>> a. all 5 of the users on webfaction are also on myLocalMachine
>>>>>>> b. all 5 of the users on myLocalMachine have passwords that
>>>>>>> begin with "pbkdf2(1000,20,sha512)$"
>>>>>>> 4. On myLocalMachine in Database Administration,
>>>>>>> a. I click [ insert new auth_user ] and insert
>>>>>>> First name: local
>>>>>>> Last name: user
>>>>>>> E-mail: [email protected]
>>>>>>> Password: localuserpw
>>>>>>> Registration key: none
>>>>>>> Reset Password key: none
>>>>>>> Registration identifier: none
>>>>>>> b. RESULTS:
>>>>>>> 1. flash response: new record inserted
>>>>>>> 2. Password for [email protected] begins with
>>>>>>> "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post.
>>>>>>> 3. On myLocalMachine, when i try to login with {
>>>>>>> [email protected], localuserpw} - COULD NOT LOGIN
>>>>>>> - it returned to the login page without comment.
>>>>>>>
>>>>>>> OK so I think I still need some help with "fix"ing CRYPT differences
>>>>>>> between Windows and Linux.
>>>>>>>
>>>>>>> Thanks in advance.
>>>>>>>
>>>>>>> Love and peace,
>>>>>>>
>>>>>>> Joe
>>>>>>>
>>>>>>> On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote:
>>>>>>>>
>>>>>>>> Dear Niphlod,
>>>>>>>>
>>>>>>>> Thanks for the reply.
>>>>>>>>
>>>>>>>> appadmin.py ships with the application, so if you really copied the
>>>>>>>>> "controllers" folder you'd have the same file.
>>>>>>>>
>>>>>>>> Of course you are right. I only copied the files i [thought i] had
>>>>>>>> changed. That's why i was surprised to find that
>>>>>>>> appadmin.py.windows != appadmin.py.linux
>>>>>>>>
>>>>>>>> BTW, pbkdf2 was introduced ~2 months ago
>>>>>>>>>
>>>>>>>> I created myapp on the Linux [webfaction] machine yesterday. I
>>>>>>>> tried to copy it to my Windows [home] machine today.
>>>>>>>>
>>>>>>>> BTW2: if you copied an app that used the sha512 algo an tried to
>>>>>>>>> load it into a *newer* web2py release...
>>>>>>>>
>>>>>>>> I am trying to copy myapp FROM the Linux [webfaction] machine TO my
>>>>>>>> Windows [home] machine. When I created myapp on the Linux machine, I
>>>>>>>> created a myapp using the "New simple application create" function. I
>>>>>>>> never
>>>>>>>> [to my knowledge] altered anything related to CRYPT. So i believe the
>>>>>>>> pbkdf2 algo was generated at app creation time on the Linux
>>>>>>>> [webfaction]
>>>>>>>> machine.
>>>>>>>>
>>>>>>>> BTW3: to pass around an app just ...
>>>>>>>>
>>>>>>>> Thanks BIG TIME for this. I will try these suggestions.
>>>>>>>>
>>>>>>>> BTW4: I seem to recall that very old python calculated hashes
>>>>>>>>> differently.
>>>>>>>>
>>>>>>>> I am using python 2.7 on BOTH the Windows and Linux machines.
>>>>>>>>
>>>>>>>> Thanks for the responses, Niphlod. I'll report back after trying
>>>>>>>> BTW3.
>>>>>>>>
>>>>>>>> Thanks again, Niphlod.
>>>>>>>>
>>>>>>>> Love and peace,
>>>>>>>>
>>>>>>>> Joe
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thursday, December 6, 2012 12:19:40 PM UTC-8, Niphlod wrote:
>>>>>>>>>
>>>>>>>>> appadmin.py ships with the application, so if you really copied
>>>>>>>>> the "controllers" folder you'd have the same file.
>>>>>>>>> BTW, pbkdf2 was introduced ~2 months ago.
>>>>>>>>> BTW2: if you copied an app that used the sha512 algo an tried to
>>>>>>>>> load it into a *newer* web2py release, as soon as the user
>>>>>>>>> entered the password would be updated to the pbkdf2 algo (unless you
>>>>>>>>> were
>>>>>>>>> using some explicit IS_CRYPT() validator or the auth_key param on
>>>>>>>>> auth, I
>>>>>>>>> think).
>>>>>>>>> BTW3: to pass around an app just log into admin and hit "create
>>>>>>>>> package" (or tar.gz the entire applications/myapp folder and load it
>>>>>>>>> locally with "upload package")
>>>>>>>>> BTW4: I seem to recall that very old python calculated hashes
>>>>>>>>> differently. However, it would not be the case unless BTW2 (some
>>>>>>>>> fixed
>>>>>>>>> auth_key in auth instantiation or explicit IS_CRYPT() validator)
>>>>>>>>>
>>>>>>>>>
--
