Re: [web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Dear Jonathan, Thanks for the reply. You said "... shouldn't be necessary to use the same (or no) salt on different installations for passwords to work correctly ..." That set me to make an experimental app, to test the passwords, pwt. Here are my notes from that experiment which compares pwt with myORIGappNotReally. Password test app, pwt/myORIGappNotReally experiment notes: 1. create pwt app via webfaction-web2py browser New simple application create 2. register users normally a. register as Joe D j...@joe.com pw123joeXX b. register as Sam E s...@sam.com pw456samYY c. register as Lil F l...@lil.com pw789lilZZ d. inspect db_auth_user.csv auth_user.id,auth_user.first_name,auth_user.last_name,auth_user. email,auth_user.password,auth_user.registration_key,auth_user. reset_password_key,auth_user.registration_id 1,Joe,D,j...@joe.com, "pbkdf2(1000,20,sha512)$9754737b2a4d5e86$ef746e588dd237c84ec323d4bc6af40c61a5a014" ,,, 2,Sam,E,s...@sam.com, "pbkdf2(1000,20,sha512)$ab52efd4dba487d1$26a994230c6b67577dbc5b6f8bec0f31f6130612" ,,, 3,Lil,F,l...@lil.com, "pbkdf2(1000,20,sha512)$9a0141a307768863$9e7cc89a462c75145aa195afbb50f4b53b5fa9c2" ,,, 3. make registration needs approval = True in db.py was: auth.settings.registration_requires_approval = False now: auth.settings.registration_requires_approval = True 4. make default.py->index: @auth.requires_login() 5. test all users on webfaction for index RESULT all 3 -are challenged to login at index -access index after login OK 6. set global so the app needs https in default.py-> add # forces https (this can be done at the function level as well see mdipierro's response # http://groups.google.com/group/web2py/browse_thread/thread/834380971cbbf93/b8ff37a450588fba session.secure() 7. test pwt app all users on webfaction for index RESULT all 3 -SECURELY:when accessed via https/opera -are challenged to login at index -access index after login OK -NOTSECURELY: when accessed via http/opera -are challenged to login at index -all are NOT granted access i.e. **returned to login WITHOUT comment [maybe a headshake ]** 8. test myORIGappNotReally on localWindows NOTSECURELY i.e. VIA http/opera http: //127.0.0.1:8000/myORIGappNotReally/default/user/login?_next=/myORIGappNotReally/default/index RESULT 3 of the original users -are challenged to login at index -all are NOT granted access i.e. **returned to login WITHOUT comment [no noticable headshake]** 9. test myORIGappNotReally on localWindows SECURELYi.e. VIA https/opera Secure connection: fatal error (47) https://127.0.0.1:8000/myORIGappNotReally/default/user/login?_next=/myORIGappNotReally/default/index Transmission failure. Check that the address is spelled correctly, or try searching forthe site . 10. test myORIGappNotReally on localUbuntu SECURELYi.e. VIA https/ firefox https: //127.0.0.1:8000/myORIGappNotReally/default/user/login?_next=/myORIGappNotReally/default/index Secure Connection Failed An error occurred during a connection to 127.0.0.1:8000. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem . Alternatively, use the command found in the help menu to report thisbroken site . 11. **on myORIGappNotReally on localWindows** in default.py-> **comment out** # forces https (this can be done at the function level as well see mdipierro's response # http://groups.google.com/group/web2py/browse_thread/thread/834380971cbbf93/b8ff37a450588fba session.secure() 12. test myORIGappNotReally on localWindows NOTSECURELY i.e. VIA http/opera http: //127.0.0.1:8000/myORIGappNotReally/default/user/login?_next=/myORIGappNotReally/default/index RESULT 3 of the original users -are challenged to login at index -**access index after login OK** *Conclusion*: The myORIGappNotReally app was fine on the localWindows machine. The problem was caused by insecurely accesing an app that had "session.secure()" set. *Suggestion*: Perhaps a flash notice could be added to the session.secure() implementation to say that this app requires a secure connection. I think i remember seeing one in the past but it wasn't showing up now. Thanks for the help to you, Jonathan, and Massimo and Niphlod. Love and peace, Joe *P.S. This is NOT part of the tech discussion but my spiritual testimony. Please
Re: [web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
On 12 Dec 2012, at 11:31 AM, JoeCodeswell wrote: > Thanks, Jonathan. Thanks, Massimo. > > Web2py is a GREAT community. Before we close this thread, I'd like to revisit the reason you were having trouble in the first place. It shouldn't be necessary to use the same (or no) salt on different installations for passwords to work correctly (as long as you use the same key). For example: In [15]: CRYPT(salt=False)('dummy')[0].__str__() Out[15]: 'pbkdf2(1000,20,sha512)$$9381f513faf7c848adb9b1d908b62a9391dc2db8' In [16]: CRYPT(salt=True)('dummy')[0].__eq__('pbkdf2(1000,20,sha512)$$9381f513faf7c848adb9b1d908b62a9391dc2db8') Out[16]: True In [25]: CRYPT(salt='anyoldsalt')('dummy')[0].__eq__('pbkdf2(1000,20,sha512)$$9381f513faf7c848adb9b1d908b62a9391dc2db8') Out[25]: True All three CRYPT calls generate different salts and hashes, but the results compare equal. Just be sure that you're using the CRYPT object's equality test, and not merely comparing the hash strings. > > Thanks, again. > > Love and peace, > > Joe > > On Wednesday, December 12, 2012 10:38:10 AM UTC-8, Jonathan Lundell wrote: > On 12 Dec 2012, at 10:30 AM, JoeCodeswell wrote: >> Dear Massimo and Jonathan, >> >> In my last post i said "I'm still not sure how to change my app instances, >> however." >> >> I thought about it a little bit and my guess is that i should add >> >> db.auth_user.password.requires[0].salt = False >> >> someplace in db.py. Is that right? >> >> Thanks for the help. >> >> Love and peace, > > Either that or pass salt=False to the CRYPT constructor. Same effect. > > --
Re: [web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Thanks, Jonathan. Thanks, Massimo. Web2py is a GREAT community. Thanks, again. Love and peace, Joe On Wednesday, December 12, 2012 10:38:10 AM UTC-8, Jonathan Lundell wrote: > > On 12 Dec 2012, at 10:30 AM, JoeCodeswell > > wrote: > > Dear Massimo and Jonathan, > > In my last post i said "I'm still not sure how to change my app instances, > however." > > I thought about it a little bit and my guess is that i should add > > db.auth_user.password.requires[0].salt = False > > someplace in db.py. Is that right? > > Thanks for the help. > > Love and peace, > > > Either that or pass salt=False to the CRYPT constructor. Same effect. > --
Re: [web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
On 12 Dec 2012, at 10:30 AM, JoeCodeswell wrote: > Dear Massimo and Jonathan, > > In my last post i said "I'm still not sure how to change my app instances, > however." > > I thought about it a little bit and my guess is that i should add > > db.auth_user.password.requires[0].salt = False > > someplace in db.py. Is that right? > > Thanks for the help. > > Love and peace, Either that or pass salt=False to the CRYPT constructor. Same effect. --
Re: [web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
On 12 Dec 2012, at 10:00 AM, JoeCodeswell wrote: > Jonathan said: "Try this instead: change CRYPT() to CRYPT(salt=False)" > > Thanks, Jonathan. I think this is what you mean. Here's what happened. > > Windows Try More like this: In [10]: CRYPT(salt=False)('NewFish04pw')[0].__str__() Out[10]: 'pbkdf2(1000,20,sha512)$$034e9451c21af53f71d5507578668626baa4e049' Notice the absence of salt in the output. You can also provide constant salt: In [11]: CRYPT(salt='mysalt')('NewFish04pw')[0].__str__() Out[11]: 'pbkdf2(1000,20,sha512)$mysalt$c3dc684cd467bdf31a08343d28b28a2d678b3b5c' If you accept the default salt=True, you get a different result every time: In [12]: CRYPT()('NewFish04pw')[0].__str__() Out[12]: 'pbkdf2(1000,20,sha512)$bde0e96e24dbcb4f$ed1cedb65b2b04b971b08b9f83d6de440f0f6baa' In [13]: CRYPT()('NewFish04pw')[0].__str__() Out[13]: 'pbkdf2(1000,20,sha512)$b5240f5005f1d2ae$ef33928b21356a03d87a56b58938471dd43f7f45' In [14]: CRYPT()('NewFish04pw')[0].__str__() Out[14]: 'pbkdf2(1000,20,sha512)$be05901252d7ef64$52308f6cc862ad8aeafdd64c42acc18c47ca15c4' --
Re: [web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Jonathan said: "Try this instead: change CRYPT() to CRYPT(salt=False)" Thanks, Jonathan. I think this is what you mean. Here's what happened. Windows Try --- Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\joe>cd C:\web2py C:\web2py>python web2py.py -S myAppNotReally -M web2py Web Framework Created by Massimo Di Pierro, Copyright 2007-2012 Version 2.2.1 (2012-10-21 16:57:04) stable Database drivers available: SQLite(sqlite3), MySQL(pymysql), PostgreSQL( pg8000), IMAP(imaplib) Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. In [2]: CRYPT(salt=False)('NewFish04pw')== "pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab7 Out[2]: False In [3]:Enter code here... Thanks, Jonathan. Love and peace, Joe On Wednesday, December 12, 2012 9:36:36 AM UTC-8, Jonathan Lundell wrote: > > On 12 Dec 2012, at 9:29 AM, JoeCodeswell > > wrote: > > Dear Massimo, > > When i tried to > > db.auth_user.password.validators[0].salt = False > > > Here's what happened. > > > Try this instead: change CRYPT() to CRYPT(salt=False) > --
Re: [web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
On 12 Dec 2012, at 9:29 AM, JoeCodeswell wrote: > Dear Massimo, > > When i tried to > > db.auth_user.password.validators[0].salt = False > > Here's what happened. Try this instead: change CRYPT() to CRYPT(salt=False) --
Re: [web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Jonathan is right. I forgot to ask you also set db.auth_user.password.validators[0].salt = False I am trying to find out if (for the same salt or no salt) you get the same hash. I suspect not. On Tuesday, 11 December 2012 18:30:46 UTC-6, Jonathan Lundell wrote: > > On 11 Dec 2012, at 4:05 PM, JoeCodeswell > > wrote: > > Dear Massimo, > > Here's the answers. > > *Can you try do this on both machines?* > > *webfaction* > > $ python web2py.py -S myappNotReally -M > web2py Web Framework > Created by Massimo Di Pierro, Copyright 2007-2012 > Version 2.2.1 (2012-10-21 16:57:04) stable > Database drivers available: SQLite(sqlite3), MySQL(pymysql), MySQL(MySQLdb > ), Pos tgreSQL(psycopg2), PostgreSQL(pg8000),IMAP > (imaplib) > Python 2.7.3 (default, Jun 11 2012, 22:26:11) > Type "copyright", "credits" or "license" for more information. > > IPython 0.12.1 > > > In [51]: webfaction = > 'pbkdf2(1000,20,sha512)$ad443a669b5729b7$b7d02805d6681f93d54e95b05611734cbdc93cf9' > > In [52]: windows = > 'pbkdf2(1000,20,sha512)$975228a4f2f27156$72e54a69f7fb6e1e0a209a45f4ca206d42ebedca' > > If you don't specify explicit (and constant) salt, CRYPT will generate a > random salt on each call. I'd expect you to get different values on each > run, not just on different systems. > --
Re: [web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
On 11 Dec 2012, at 4:05 PM, JoeCodeswell wrote: > Dear Massimo, > > Here's the answers. > > Can you try do this on both machines? > > webfaction > > $ python web2py.py -S myappNotReally -M > web2py Web Framework > Created by Massimo Di Pierro, Copyright 2007-2012 > Version 2.2.1 (2012-10-21 16:57:04) stable > Database drivers available: SQLite(sqlite3), MySQL(pymysql), MySQL(MySQLdb), > Pos tgreSQL(psycopg2), PostgreSQL(pg8000), > IMAP(imaplib) > Python 2.7.3 (default, Jun 11 2012, 22:26:11) > Type "copyright", "credits" or "license" for more information. > > IPython 0.12.1 > In [51]: webfaction = 'pbkdf2(1000,20,sha512)$ad443a669b5729b7$b7d02805d6681f93d54e95b05611734cbdc93cf9' In [52]: windows = 'pbkdf2(1000,20,sha512)$975228a4f2f27156$72e54a69f7fb6e1e0a209a45f4ca206d42ebedca' If you don't specify explicit (and constant) salt, CRYPT will generate a random salt on each call. I'd expect you to get different values on each run, not just on different systems. --
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Can you try do this on both machines? $ python web2py.py -S yourappname -M >>> print db.auth_user.password.validate('dummy')[0] Do you get the same output? What are the two python version? 32bits or 64bits? Massimo On Tuesday, 11 December 2012 11:01:54 UTC-6, JoeCodeswell wrote: > > Dear Massimo, > > Thanks for the reply. > > I just did a diff between the webfaction private/auth.key file and the > localWindowsMachine private/auth.key file. > RESULT: *Files Match*. > > History:: > > *Local Windows Machine* > In response to Niphlod's BTW3 suggestion, which he made on Dec 6 in this > thread, to copy FROM webfaction TO my local windows machine I: > 1. on webfaction used "create package" > 2. on localWindowsMachine used "upload package" > You can see the details in my response to Niphlod, made on Dec 8 in this > thread, starting with "Hi Niphlod, Here is my report on your suggestion:". > > *Local Ubuntu Machine* > ALSO, i used the "create package"/"upload package" technique FROM > webfaction TO my local Ubuntu Machine. It DID NOT WORK. Please see my Dec 8 > post, starting with: "Dear web2py folks, I also have a local ubuntu ...". > > So, to me, there still seems to be a problem. > > Thanks for your kelp, Massimo. > > Love and peace, > > Joe > > On Monday, December 10, 2012 4:28:50 PM UTC-8, Massimo Di Pierro wrote: >> >> You should not publish your key. >> >> What I am saying is that as online as your key is the same used to create >> the hashes, the CRYPT validators should do the right job. >> >> If you want your dev app and production to share data, they must share >> the same key. >> >> Another option is not using the key at all. The web web2py salts all >> passwords. The global key adds an extra layer of security but it is no >> longer as important as it used to be when salting was not done. In fact the >> new welcome no longer creates auth.key. >> >> This makes it easier sharing salted passwords between different >> installations of web2py apps. >> >> >> On Monday, 10 December 2012 13:26:55 UTC-6, JoeCodeswell wrote: >>> >>> Thanks for the response, Massimo. >>> >>> I have the auth.key. However, I am a bit concerned about publishing it >>> here since I have potential clients that are looking at myapp on webfaction >>> right now. I am concerned about what i have already published. What do you >>> suggest I do? >>> >>> Thanks in advance. >>> >>> Love and peace, >>> >>> Joe >>> >>> On Saturday, December 8, 2012 2:41:52 PM UTC-8, Massimo Di Pierro wrote: The fact is that >>> CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0" False because the stored hashed password depends on the salt but also on the key stores in private/auth.key and I do not know what that is. On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote: > > Sure, Niphlod. I didn't see your post before i posted my comment about > my local ubuntu machine which seems to behave like my local windows > machine. > > 1. can we see how auth is istantiated in your app ? > > In db.py > from gluon.tools import Auth, Crud, Service, PluginManager, prettydate > auth = Auth(db, hmac_key=Auth.get_or_create_key()) > > 2. can you pass us the database (or just one of the auth_user records > along with the "unencrypted password") > > Here's part of the csv export from webfaction. This is the entry that > is awaiting approval. I have no problem giving this out because it is a > dummy that i created to test approval. > > auth_user.id > ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id > 5,New,Person,new...@fowl.com > ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,, > > Here's the unencrypted pw: NewFish04pw > > Thanks for the help, Niphlod. > > Love and peace, > > Joe > > > On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote: >> >> Thanks Joe... >> 1. can we see how auth is istantiated in your app ? >> 2. can you pass us the database (or just one of the auth_user records >> along with the "unencrypted password") >> >> With those, we could easily reproduce the behaviour (i.e. trying to >> login in the app with the password with exactly your auth_user records) >> and >> see what is going on >> >> On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote: >>> >>> Hi Niphlod, >>> >>> Here is my report on your suggestion: >>> BTW3: to pass around an app just log into admin and hit "create package" (or tar.gz the entire applications/myapp folder and load it locally with "upload package") >>> >>> On webfaction-web2
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Dear Massimo, Thanks for the reply. I just did a diff between the webfaction private/auth.key file and the localWindowsMachine private/auth.key file. RESULT: *Files Match*. History:: *Local Windows Machine* In response to Niphlod's BTW3 suggestion, which he made on Dec 6 in this thread, to copy FROM webfaction TO my local windows machine I: 1. on webfaction used "create package" 2. on localWindowsMachine used "upload package" You can see the details in my response to Niphlod, made on Dec 8 in this thread, starting with "Hi Niphlod, Here is my report on your suggestion:". *Local Ubuntu Machine* ALSO, i used the "create package"/"upload package" technique FROM webfaction TO my local Ubuntu Machine. It DID NOT WORK. Please see my Dec 8 post, starting with: "Dear web2py folks, I also have a local ubuntu ...". So, to me, there still seems to be a problem. Thanks for your kelp, Massimo. Love and peace, Joe On Monday, December 10, 2012 4:28:50 PM UTC-8, Massimo Di Pierro wrote: > > You should not publish your key. > > What I am saying is that as online as your key is the same used to create > the hashes, the CRYPT validators should do the right job. > > If you want your dev app and production to share data, they must share the > same key. > > Another option is not using the key at all. The web web2py salts all > passwords. The global key adds an extra layer of security but it is no > longer as important as it used to be when salting was not done. In fact the > new welcome no longer creates auth.key. > > This makes it easier sharing salted passwords between different > installations of web2py apps. > > > On Monday, 10 December 2012 13:26:55 UTC-6, JoeCodeswell wrote: >> >> Thanks for the response, Massimo. >> >> I have the auth.key. However, I am a bit concerned about publishing it >> here since I have potential clients that are looking at myapp on webfaction >> right now. I am concerned about what i have already published. What do you >> suggest I do? >> >> Thanks in advance. >> >> Love and peace, >> >> Joe >> >> On Saturday, December 8, 2012 2:41:52 PM UTC-8, Massimo Di Pierro wrote: >>> >>> The fact is that >>> >>> >>> >>> CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0" >>> False >>> >>> because the stored hashed password depends on the salt but also on the >>> key stores in private/auth.key and I do not know what that is. >>> >>> On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote: Sure, Niphlod. I didn't see your post before i posted my comment about my local ubuntu machine which seems to behave like my local windows machine. 1. can we see how auth is istantiated in your app ? In db.py from gluon.tools import Auth, Crud, Service, PluginManager, prettydate auth = Auth(db, hmac_key=Auth.get_or_create_key()) 2. can you pass us the database (or just one of the auth_user records along with the "unencrypted password") Here's part of the csv export from webfaction. This is the entry that is awaiting approval. I have no problem giving this out because it is a dummy that i created to test approval. auth_user.id ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id 5,New,Person,new...@fowl.com ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,, Here's the unencrypted pw: NewFish04pw Thanks for the help, Niphlod. Love and peace, Joe On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote: > > Thanks Joe... > 1. can we see how auth is istantiated in your app ? > 2. can you pass us the database (or just one of the auth_user records > along with the "unencrypted password") > > With those, we could easily reproduce the behaviour (i.e. trying to > login in the app with the password with exactly your auth_user records) > and > see what is going on > > On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote: >> >> Hi Niphlod, >> >> Here is my report on your suggestion: >> >>> BTW3: to pass around an app just log into admin and hit "create >>> package" (or tar.gz the entire applications/myapp folder and load it >>> locally with "upload package") >> >> On webfaction-web2py-admin: >> for myapp clicked the "Pack all" button & downloaded >> "web2py.app.myapp.w2p" to myLocalMachine >> On myLocalMachine in web2py-admin : >> >>1. deleted myapp >>2. in Upload and install packed application: >> 1. Application name: myapp >> 2. Upload a package: path-to/ web2py.app.myapp.w2p >> 3. Or Get from URL: >> 4. [ ] Overwrite installed app
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
You should not publish your key. What I am saying is that as online as your key is the same used to create the hashes, the CRYPT validators should do the right job. If you want your dev app and production to share data, they must share the same key. Another option is not using the key at all. The web web2py salts all passwords. The global key adds an extra layer of security but it is no longer as important as it used to be when salting was not done. In fact the new welcome no longer creates auth.key. This makes it easier sharing salted passwords between different installations of web2py apps. On Monday, 10 December 2012 13:26:55 UTC-6, JoeCodeswell wrote: > > Thanks for the response, Massimo. > > I have the auth.key. However, I am a bit concerned about publishing it > here since I have potential clients that are looking at myapp on webfaction > right now. I am concerned about what i have already published. What do you > suggest I do? > > Thanks in advance. > > Love and peace, > > Joe > > On Saturday, December 8, 2012 2:41:52 PM UTC-8, Massimo Di Pierro wrote: >> >> The fact is that >> >> >>> >> CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0" >> False >> >> because the stored hashed password depends on the salt but also on the >> key stores in private/auth.key and I do not know what that is. >> >> On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote: >>> >>> Sure, Niphlod. I didn't see your post before i posted my comment about >>> my local ubuntu machine which seems to behave like my local windows machine. >>> >>> 1. can we see how auth is istantiated in your app ? >>> >>> In db.py >>> from gluon.tools import Auth, Crud, Service, PluginManager, prettydate >>> auth = Auth(db, hmac_key=Auth.get_or_create_key()) >>> >>> 2. can you pass us the database (or just one of the auth_user records >>> along with the "unencrypted password") >>> >>> Here's part of the csv export from webfaction. This is the entry that is >>> awaiting approval. I have no problem giving this out because it is a dummy >>> that i created to test approval. >>> >>> auth_user.id >>> ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id >>> 5,New,Person,new...@fowl.com >>> ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,, >>> >>> Here's the unencrypted pw: NewFish04pw >>> >>> Thanks for the help, Niphlod. >>> >>> Love and peace, >>> >>> Joe >>> >>> >>> On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote: Thanks Joe... 1. can we see how auth is istantiated in your app ? 2. can you pass us the database (or just one of the auth_user records along with the "unencrypted password") With those, we could easily reproduce the behaviour (i.e. trying to login in the app with the password with exactly your auth_user records) and see what is going on On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote: > > Hi Niphlod, > > Here is my report on your suggestion: > >> BTW3: to pass around an app just log into admin and hit "create >> package" (or tar.gz the entire applications/myapp folder and load it >> locally with "upload package") > > On webfaction-web2py-admin: > for myapp clicked the "Pack all" button & downloaded > "web2py.app.myapp.w2p" to myLocalMachine > On myLocalMachine in web2py-admin : > >1. deleted myapp >2. in Upload and install packed application: > 1. Application name: myapp > 2. Upload a package: path-to/ web2py.app.myapp.w2p > 3. Or Get from URL: > 4. [ ] Overwrite installed app# left this checkbox > UNCHECKED > 5. Clicked "Install" > 6. Flash said: application myapp installed with md5sum: > 7632e93e985802371a0071a4daca49c7 > > TO TEST > 1. Tried logging in with all 4 {email, pw} sets that work on > webfaction: RESULT: > myLocalMachine COULD NOT LOGIN - returning to the login page > without comment. > webfaction LOGINS JUST FINE > 2. There is one user on webfaction waiting registration approval. > Testing that {email,pw} RESULT > myLocalMachine COULD NOT LOGIN - returning to the login page > without comment. > webfaction FLASH RESPONSE - "Registration is pending > approval" > 3. Inspecting myLocalMachine in Database Administration RESULT: > a. all 5 of the users on webfaction are also on myLocalMachine > b. all 5 of the users on myLocalMachine have passwords that begin > with "pbkdf2(1000,20,sha512)$" > 4. On myLocalMachine in Database Administration, > a. I click [ insert new auth_user ] and insert >
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Thanks for the response, Massimo. I have the auth.key. However, I am a bit concerned about publishing it here since I have potential clients that are looking at myapp on webfaction right now. I am concerned about what i have already published. What do you suggest I do? Thanks in advance. Love and peace, Joe On Saturday, December 8, 2012 2:41:52 PM UTC-8, Massimo Di Pierro wrote: > > The fact is that > > >>> > CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0" > False > > because the stored hashed password depends on the salt but also on the key > stores in private/auth.key and I do not know what that is. > > On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote: >> >> Sure, Niphlod. I didn't see your post before i posted my comment about my >> local ubuntu machine which seems to behave like my local windows machine. >> >> 1. can we see how auth is istantiated in your app ? >> >> In db.py >> from gluon.tools import Auth, Crud, Service, PluginManager, prettydate >> auth = Auth(db, hmac_key=Auth.get_or_create_key()) >> >> 2. can you pass us the database (or just one of the auth_user records >> along with the "unencrypted password") >> >> Here's part of the csv export from webfaction. This is the entry that is >> awaiting approval. I have no problem giving this out because it is a dummy >> that i created to test approval. >> >> auth_user.id >> ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id >> 5,New,Person,new...@fowl.com >> ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,, >> >> Here's the unencrypted pw: NewFish04pw >> >> Thanks for the help, Niphlod. >> >> Love and peace, >> >> Joe >> >> >> On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote: >>> >>> Thanks Joe... >>> 1. can we see how auth is istantiated in your app ? >>> 2. can you pass us the database (or just one of the auth_user records >>> along with the "unencrypted password") >>> >>> With those, we could easily reproduce the behaviour (i.e. trying to >>> login in the app with the password with exactly your auth_user records) and >>> see what is going on >>> >>> On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote: Hi Niphlod, Here is my report on your suggestion: > BTW3: to pass around an app just log into admin and hit "create > package" (or tar.gz the entire applications/myapp folder and load it > locally with "upload package") On webfaction-web2py-admin: for myapp clicked the "Pack all" button & downloaded "web2py.app.myapp.w2p" to myLocalMachine On myLocalMachine in web2py-admin : 1. deleted myapp 2. in Upload and install packed application: 1. Application name: myapp 2. Upload a package: path-to/ web2py.app.myapp.w2p 3. Or Get from URL: 4. [ ] Overwrite installed app# left this checkbox UNCHECKED 5. Clicked "Install" 6. Flash said: application myapp installed with md5sum: 7632e93e985802371a0071a4daca49c7 TO TEST 1. Tried logging in with all 4 {email, pw} sets that work on webfaction: RESULT: myLocalMachine COULD NOT LOGIN - returning to the login page without comment. webfaction LOGINS JUST FINE 2. There is one user on webfaction waiting registration approval. Testing that {email,pw} RESULT myLocalMachine COULD NOT LOGIN - returning to the login page without comment. webfaction FLASH RESPONSE - "Registration is pending approval" 3. Inspecting myLocalMachine in Database Administration RESULT: a. all 5 of the users on webfaction are also on myLocalMachine b. all 5 of the users on myLocalMachine have passwords that begin with "pbkdf2(1000,20,sha512)$" 4. On myLocalMachine in Database Administration, a. I click [ insert new auth_user ] and insert First name: local Last name: user E-mail: lo...@here.com Password: localuserpw Registration key: none Reset Password key: none Registration identifier: none b. RESULTS: 1. flash response: new record inserted 2. Password for lo...@here.com begins with "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post. 3. On myLocalMachine, when i try to login with { lo...@here.com, localuserpw} - COULD NOT LOGIN - it returned to the login page without comment. OK so I think I still need some help with "fix"ing CRYPT differences between Windows and Linux. Thanks in advance. Love and peace, Jo
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
The fact is that >>> CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0" False because the stored hashed password depends on the salt but also on the key stores in private/auth.key and I do not know what that is. On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote: > > Sure, Niphlod. I didn't see your post before i posted my comment about my > local ubuntu machine which seems to behave like my local windows machine. > > 1. can we see how auth is istantiated in your app ? > > In db.py > from gluon.tools import Auth, Crud, Service, PluginManager, prettydate > auth = Auth(db, hmac_key=Auth.get_or_create_key()) > > 2. can you pass us the database (or just one of the auth_user records > along with the "unencrypted password") > > Here's part of the csv export from webfaction. This is the entry that is > awaiting approval. I have no problem giving this out because it is a dummy > that i created to test approval. > > auth_user.id > ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id > 5,New,Person,new...@fowl.com > ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,, > > Here's the unencrypted pw: NewFish04pw > > Thanks for the help, Niphlod. > > Love and peace, > > Joe > > > On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote: >> >> Thanks Joe... >> 1. can we see how auth is istantiated in your app ? >> 2. can you pass us the database (or just one of the auth_user records >> along with the "unencrypted password") >> >> With those, we could easily reproduce the behaviour (i.e. trying to login >> in the app with the password with exactly your auth_user records) and see >> what is going on >> >> On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote: >>> >>> Hi Niphlod, >>> >>> Here is my report on your suggestion: >>> BTW3: to pass around an app just log into admin and hit "create package" (or tar.gz the entire applications/myapp folder and load it locally with "upload package") >>> >>> On webfaction-web2py-admin: >>> for myapp clicked the "Pack all" button & downloaded >>> "web2py.app.myapp.w2p" to myLocalMachine >>> On myLocalMachine in web2py-admin : >>> >>>1. deleted myapp >>>2. in Upload and install packed application: >>> 1. Application name: myapp >>> 2. Upload a package: path-to/ web2py.app.myapp.w2p >>> 3. Or Get from URL: >>> 4. [ ] Overwrite installed app# left this checkbox >>> UNCHECKED >>> 5. Clicked "Install" >>> 6. Flash said: application myapp installed with md5sum: >>> 7632e93e985802371a0071a4daca49c7 >>> >>> TO TEST >>> 1. Tried logging in with all 4 {email, pw} sets that work on webfaction: >>> RESULT: >>> myLocalMachine COULD NOT LOGIN - returning to the login page without >>> comment. >>> webfaction LOGINS JUST FINE >>> 2. There is one user on webfaction waiting registration approval. >>> Testing that {email,pw} RESULT >>> myLocalMachine COULD NOT LOGIN - returning to the login page without >>> comment. >>> webfaction FLASH RESPONSE - "Registration is pending >>> approval" >>> 3. Inspecting myLocalMachine in Database Administration RESULT: >>> a. all 5 of the users on webfaction are also on myLocalMachine >>> b. all 5 of the users on myLocalMachine have passwords that begin >>> with "pbkdf2(1000,20,sha512)$" >>> 4. On myLocalMachine in Database Administration, >>> a. I click [ insert new auth_user ] and insert >>> First name: local >>> Last name: user >>> E-mail: lo...@here.com >>> Password: localuserpw >>> Registration key: none >>> Reset Password key: none >>> Registration identifier: none >>> b. RESULTS: >>> 1. flash response: new record inserted >>> 2. Password for lo...@here.com begins with >>> "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post. >>> 3. On myLocalMachine, when i try to login with { lo...@here.com, >>> localuserpw} - COULD NOT LOGIN >>>- it returned to the login page without comment. >>> >>> OK so I think I still need some help with "fix"ing CRYPT differences >>> between Windows and Linux. >>> >>> Thanks in advance. >>> >>> Love and peace, >>> >>> Joe >>> >>> On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote: Dear Niphlod, Thanks for the reply. appadmin.py ships with the application, so if you really copied the > "controllers" folder you'd have the same file. Of course you are right. I only copied the files i [thought i] had changed. That's why i was surprised to find that appadmin.py.windows != appadmin.py.linux BTW, pbkdf2 was introduced ~2 months ago > I cre
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Sure, Niphlod. I didn't see your post before i posted my comment about my local ubuntu machine which seems to behave like my local windows machine. 1. can we see how auth is istantiated in your app ? In db.py from gluon.tools import Auth, Crud, Service, PluginManager, prettydate auth = Auth(db, hmac_key=Auth.get_or_create_key()) 2. can you pass us the database (or just one of the auth_user records along with the "unencrypted password") Here's part of the csv export from webfaction. This is the entry that is awaiting approval. I have no problem giving this out because it is a dummy that i created to test approval. auth_user.id,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id 5,New,Person,new...@fowl.com,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,, Here's the unencrypted pw: NewFish04pw Thanks for the help, Niphlod. Love and peace, Joe On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote: > > Thanks Joe... > 1. can we see how auth is istantiated in your app ? > 2. can you pass us the database (or just one of the auth_user records > along with the "unencrypted password") > > With those, we could easily reproduce the behaviour (i.e. trying to login > in the app with the password with exactly your auth_user records) and see > what is going on > > On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote: >> >> Hi Niphlod, >> >> Here is my report on your suggestion: >> >>> BTW3: to pass around an app just log into admin and hit "create package" >>> (or tar.gz the entire applications/myapp folder and load it locally with >>> "upload package") >> >> On webfaction-web2py-admin: >> for myapp clicked the "Pack all" button & downloaded >> "web2py.app.myapp.w2p" to myLocalMachine >> On myLocalMachine in web2py-admin : >> >>1. deleted myapp >>2. in Upload and install packed application: >> 1. Application name: myapp >> 2. Upload a package: path-to/ web2py.app.myapp.w2p >> 3. Or Get from URL: >> 4. [ ] Overwrite installed app# left this checkbox >> UNCHECKED >> 5. Clicked "Install" >> 6. Flash said: application myapp installed with md5sum: >> 7632e93e985802371a0071a4daca49c7 >> >> TO TEST >> 1. Tried logging in with all 4 {email, pw} sets that work on webfaction: >> RESULT: >> myLocalMachine COULD NOT LOGIN - returning to the login page without >> comment. >> webfaction LOGINS JUST FINE >> 2. There is one user on webfaction waiting registration approval. Testing >> that {email,pw} RESULT >> myLocalMachine COULD NOT LOGIN - returning to the login page without >> comment. >> webfaction FLASH RESPONSE - "Registration is pending >> approval" >> 3. Inspecting myLocalMachine in Database Administration RESULT: >> a. all 5 of the users on webfaction are also on myLocalMachine >> b. all 5 of the users on myLocalMachine have passwords that begin >> with "pbkdf2(1000,20,sha512)$" >> 4. On myLocalMachine in Database Administration, >> a. I click [ insert new auth_user ] and insert >> First name: local >> Last name: user >> E-mail: lo...@here.com >> Password: localuserpw >> Registration key: none >> Reset Password key: none >> Registration identifier: none >> b. RESULTS: >> 1. flash response: new record inserted >> 2. Password for lo...@here.com begins with >> "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post. >> 3. On myLocalMachine, when i try to login with { lo...@here.com, >> localuserpw} - COULD NOT LOGIN >>- it returned to the login page without comment. >> >> OK so I think I still need some help with "fix"ing CRYPT differences >> between Windows and Linux. >> >> Thanks in advance. >> >> Love and peace, >> >> Joe >> >> On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote: >>> >>> Dear Niphlod, >>> >>> Thanks for the reply. >>> >>> appadmin.py ships with the application, so if you really copied the "controllers" folder you'd have the same file. >>> >>> Of course you are right. I only copied the files i [thought i] had >>> changed. That's why i was surprised to find that >>> appadmin.py.windows != appadmin.py.linux >>> >>> BTW, pbkdf2 was introduced ~2 months ago >>> I created myapp on the Linux [webfaction] machine yesterday. I tried to >>> copy it to my Windows [home] machine today. >>> >>> BTW2: if you copied an app that used the sha512 algo an tried to load it into a *newer* web2py release... >>> >>> I am trying to copy myapp FROM the Linux [webfaction] machine TO my >>> Windows [home] machine. When I created myapp on the Linux machine, I >>> created a myapp using the "New simple application create" function. I never >>> [to my knowledg
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Dear web2py folks, I also have a local ubuntu machine. I used the same Upload and install packed application technique as i did for my local windows machine. When i tried to login using 2 of the users that WORK on webfaction myLocalUbuntu machine also FAILED each time - returning to the login page without comment. Thanks for the help in advance. Love and peace, Joe On Saturday, December 8, 2012 11:18:58 AM UTC-8, JoeCodeswell wrote: > > Hi Niphlod, > > Here is my report on your suggestion: > >> BTW3: to pass around an app just log into admin and hit "create package" >> (or tar.gz the entire applications/myapp folder and load it locally with >> "upload package") > > On webfaction-web2py-admin: > for myapp clicked the "Pack all" button & downloaded > "web2py.app.myapp.w2p" to myLocalMachine > On myLocalMachine in web2py-admin : > >1. deleted myapp >2. in Upload and install packed application: > 1. Application name: myapp > 2. Upload a package: path-to/ web2py.app.myapp.w2p > 3. Or Get from URL: > 4. [ ] Overwrite installed app# left this checkbox UNCHECKED > 5. Clicked "Install" > 6. Flash said: application myapp installed with md5sum: > 7632e93e985802371a0071a4daca49c7 > > TO TEST > 1. Tried logging in with all 4 {email, pw} sets that work on webfaction: > RESULT: > myLocalMachine COULD NOT LOGIN - returning to the login page without > comment. > webfaction LOGINS JUST FINE > 2. There is one user on webfaction waiting registration approval. Testing > that {email,pw} RESULT > myLocalMachine COULD NOT LOGIN - returning to the login page without > comment. > webfaction FLASH RESPONSE - "Registration is pending approval" > 3. Inspecting myLocalMachine in Database Administration RESULT: > a. all 5 of the users on webfaction are also on myLocalMachine > b. all 5 of the users on myLocalMachine have passwords that begin with > "pbkdf2(1000,20,sha512)$" > 4. On myLocalMachine in Database Administration, > a. I click [ insert new auth_user ] and insert > First name: local > Last name: user > E-mail: lo...@here.com > Password: localuserpw > Registration key: none > Reset Password key: none > Registration identifier: none > b. RESULTS: > 1. flash response: new record inserted > 2. Password for lo...@here.com begins with > "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post. > 3. On myLocalMachine, when i try to login with { lo...@here.com, > localuserpw} - COULD NOT LOGIN >- it returned to the login page without comment. > > OK so I think I still need some help with "fix"ing CRYPT differences > between Windows and Linux. > > Thanks in advance. > > Love and peace, > > Joe > > On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote: >> >> Dear Niphlod, >> >> Thanks for the reply. >> >> appadmin.py ships with the application, so if you really copied the >>> "controllers" folder you'd have the same file. >> >> Of course you are right. I only copied the files i [thought i] had >> changed. That's why i was surprised to find that >> appadmin.py.windows != appadmin.py.linux >> >> BTW, pbkdf2 was introduced ~2 months ago >>> >> I created myapp on the Linux [webfaction] machine yesterday. I tried to >> copy it to my Windows [home] machine today. >> >> BTW2: if you copied an app that used the sha512 algo an tried to load it >>> into a *newer* web2py release... >> >> I am trying to copy myapp FROM the Linux [webfaction] machine TO my >> Windows [home] machine. When I created myapp on the Linux machine, I >> created a myapp using the "New simple application create" function. I never >> [to my knowledge] altered anything related to CRYPT. So i believe the >> pbkdf2 algo was generated at app creation time on the Linux [webfaction] >> machine. >> >> BTW3: to pass around an app just ... >> >> Thanks BIG TIME for this. I will try these suggestions. >> >> BTW4: I seem to recall that very old python calculated hashes differently. >> >> I am using python 2.7 on BOTH the Windows and Linux machines. >> >> Thanks for the responses, Niphlod. I'll report back after trying BTW3. >> >> Thanks again, Niphlod. >> >> Love and peace, >> >> Joe >> >> >> On Thursday, December 6, 2012 12:19:40 PM UTC-8, Niphlod wrote: >>> >>> appadmin.py ships with the application, so if you really copied the >>> "controllers" folder you'd have the same file. >>> BTW, pbkdf2 was introduced ~2 months ago. >>> BTW2: if you copied an app that used the sha512 algo an tried to load it >>> into a *newer* web2py release, as soon as the user entered the password >>> would be updated to the pbkdf2 algo (unless you were using some explicit >>> IS_CRYPT() validator or the auth_key param on auth, I think). >>> BTW3: to pass around an app just log into admin and hit "create package" >>> (or tar
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Thanks Joe... 1. can we see how auth is istantiated in your app ? 2. can you pass us the database (or just one of the auth_user records along with the "unencrypted password") With those, we could easily reproduce the behaviour (i.e. trying to login in the app with the password with exactly your auth_user records) and see what is going on On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote: > > Hi Niphlod, > > Here is my report on your suggestion: > >> BTW3: to pass around an app just log into admin and hit "create package" >> (or tar.gz the entire applications/myapp folder and load it locally with >> "upload package") > > On webfaction-web2py-admin: > for myapp clicked the "Pack all" button & downloaded > "web2py.app.myapp.w2p" to myLocalMachine > On myLocalMachine in web2py-admin : > >1. deleted myapp >2. in Upload and install packed application: > 1. Application name: myapp > 2. Upload a package: path-to/ web2py.app.myapp.w2p > 3. Or Get from URL: > 4. [ ] Overwrite installed app# left this checkbox UNCHECKED > 5. Clicked "Install" > 6. Flash said: application myapp installed with md5sum: > 7632e93e985802371a0071a4daca49c7 > > TO TEST > 1. Tried logging in with all 4 {email, pw} sets that work on webfaction: > RESULT: > myLocalMachine COULD NOT LOGIN - returning to the login page without > comment. > webfaction LOGINS JUST FINE > 2. There is one user on webfaction waiting registration approval. Testing > that {email,pw} RESULT > myLocalMachine COULD NOT LOGIN - returning to the login page without > comment. > webfaction FLASH RESPONSE - "Registration is pending approval" > 3. Inspecting myLocalMachine in Database Administration RESULT: > a. all 5 of the users on webfaction are also on myLocalMachine > b. all 5 of the users on myLocalMachine have passwords that begin with > "pbkdf2(1000,20,sha512)$" > 4. On myLocalMachine in Database Administration, > a. I click [ insert new auth_user ] and insert > First name: local > Last name: user > E-mail: lo...@here.com > Password: localuserpw > Registration key: none > Reset Password key: none > Registration identifier: none > b. RESULTS: > 1. flash response: new record inserted > 2. Password for lo...@here.com begins with > "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post. > 3. On myLocalMachine, when i try to login with { > lo...@here.com, > localuserpw} - COULD NOT LOGIN >- it returned to the login page without comment. > > OK so I think I still need some help with "fix"ing CRYPT differences > between Windows and Linux. > > Thanks in advance. > > Love and peace, > > Joe > > On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote: >> >> Dear Niphlod, >> >> Thanks for the reply. >> >> appadmin.py ships with the application, so if you really copied the >>> "controllers" folder you'd have the same file. >> >> Of course you are right. I only copied the files i [thought i] had >> changed. That's why i was surprised to find that >> appadmin.py.windows != appadmin.py.linux >> >> BTW, pbkdf2 was introduced ~2 months ago >>> >> I created myapp on the Linux [webfaction] machine yesterday. I tried to >> copy it to my Windows [home] machine today. >> >> BTW2: if you copied an app that used the sha512 algo an tried to load it >>> into a *newer* web2py release... >> >> I am trying to copy myapp FROM the Linux [webfaction] machine TO my >> Windows [home] machine. When I created myapp on the Linux machine, I >> created a myapp using the "New simple application create" function. I never >> [to my knowledge] altered anything related to CRYPT. So i believe the >> pbkdf2 algo was generated at app creation time on the Linux [webfaction] >> machine. >> >> BTW3: to pass around an app just ... >> >> Thanks BIG TIME for this. I will try these suggestions. >> >> BTW4: I seem to recall that very old python calculated hashes differently. >> >> I am using python 2.7 on BOTH the Windows and Linux machines. >> >> Thanks for the responses, Niphlod. I'll report back after trying BTW3. >> >> Thanks again, Niphlod. >> >> Love and peace, >> >> Joe >> >> >> On Thursday, December 6, 2012 12:19:40 PM UTC-8, Niphlod wrote: >>> >>> appadmin.py ships with the application, so if you really copied the >>> "controllers" folder you'd have the same file. >>> BTW, pbkdf2 was introduced ~2 months ago. >>> BTW2: if you copied an app that used the sha512 algo an tried to load it >>> into a *newer* web2py release, as soon as the user entered the password >>> would be updated to the pbkdf2 algo (unless you were using some explicit >>> IS_CRYPT() validator or the auth_key param on auth, I think). >>> BTW3: to pass around an app just log into admin and hit "create package" >>> (or tar.gz the entire applicat
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Hi Niphlod, Here is my report on your suggestion: > BTW3: to pass around an app just log into admin and hit "create package" > (or tar.gz the entire applications/myapp folder and load it locally with > "upload package") On webfaction-web2py-admin: for myapp clicked the "Pack all" button & downloaded "web2py.app.myapp.w2p" to myLocalMachine On myLocalMachine in web2py-admin : 1. deleted myapp 2. in Upload and install packed application: 1. Application name: myapp 2. Upload a package: path-to/ web2py.app.myapp.w2p 3. Or Get from URL: 4. [ ] Overwrite installed app# left this checkbox UNCHECKED 5. Clicked "Install" 6. Flash said: application myapp installed with md5sum: 7632e93e985802371a0071a4daca49c7 TO TEST 1. Tried logging in with all 4 {email, pw} sets that work on webfaction: RESULT: myLocalMachine COULD NOT LOGIN - returning to the login page without comment. webfaction LOGINS JUST FINE 2. There is one user on webfaction waiting registration approval. Testing that {email,pw} RESULT myLocalMachine COULD NOT LOGIN - returning to the login page without comment. webfaction FLASH RESPONSE - "Registration is pending approval" 3. Inspecting myLocalMachine in Database Administration RESULT: a. all 5 of the users on webfaction are also on myLocalMachine b. all 5 of the users on myLocalMachine have passwords that begin with "pbkdf2(1000,20,sha512)$" 4. On myLocalMachine in Database Administration, a. I click [ insert new auth_user ] and insert First name: local Last name: user E-mail: lo...@here.com Password: localuserpw Registration key: none Reset Password key: none Registration identifier: none b. RESULTS: 1. flash response: new record inserted 2. Password for lo...@here.com begins with "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post. 3. On myLocalMachine, when i try to login with { lo...@here.com, localuserpw} - COULD NOT LOGIN - it returned to the login page without comment. OK so I think I still need some help with "fix"ing CRYPT differences between Windows and Linux. Thanks in advance. Love and peace, Joe On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote: > > Dear Niphlod, > > Thanks for the reply. > > appadmin.py ships with the application, so if you really copied the >> "controllers" folder you'd have the same file. > > Of course you are right. I only copied the files i [thought i] had > changed. That's why i was surprised to find that > appadmin.py.windows != appadmin.py.linux > > BTW, pbkdf2 was introduced ~2 months ago >> > I created myapp on the Linux [webfaction] machine yesterday. I tried to > copy it to my Windows [home] machine today. > > BTW2: if you copied an app that used the sha512 algo an tried to load it >> into a *newer* web2py release... > > I am trying to copy myapp FROM the Linux [webfaction] machine TO my > Windows [home] machine. When I created myapp on the Linux machine, I > created a myapp using the "New simple application create" function. I never > [to my knowledge] altered anything related to CRYPT. So i believe the > pbkdf2 algo was generated at app creation time on the Linux [webfaction] > machine. > > BTW3: to pass around an app just ... > > Thanks BIG TIME for this. I will try these suggestions. > > BTW4: I seem to recall that very old python calculated hashes differently. > > I am using python 2.7 on BOTH the Windows and Linux machines. > > Thanks for the responses, Niphlod. I'll report back after trying BTW3. > > Thanks again, Niphlod. > > Love and peace, > > Joe > > > On Thursday, December 6, 2012 12:19:40 PM UTC-8, Niphlod wrote: >> >> appadmin.py ships with the application, so if you really copied the >> "controllers" folder you'd have the same file. >> BTW, pbkdf2 was introduced ~2 months ago. >> BTW2: if you copied an app that used the sha512 algo an tried to load it >> into a *newer* web2py release, as soon as the user entered the password >> would be updated to the pbkdf2 algo (unless you were using some explicit >> IS_CRYPT() validator or the auth_key param on auth, I think). >> BTW3: to pass around an app just log into admin and hit "create package" >> (or tar.gz the entire applications/myapp folder and load it locally with >> "upload package") >> BTW4: I seem to recall that very old python calculated hashes >> differently. However, it would not be the case unless BTW2 (some fixed >> auth_key in auth instantiation or explicit IS_CRYPT() validator) >> >> --
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
Dear Niphlod, Thanks for the reply. appadmin.py ships with the application, so if you really copied the > "controllers" folder you'd have the same file. Of course you are right. I only copied the files i [thought i] had changed. That's why i was surprised to find that appadmin.py.windows != appadmin.py.linux BTW, pbkdf2 was introduced ~2 months ago > I created myapp on the Linux [webfaction] machine yesterday. I tried to copy it to my Windows [home] machine today. BTW2: if you copied an app that used the sha512 algo an tried to load it > into a *newer* web2py release... I am trying to copy myapp FROM the Linux [webfaction] machine TO my Windows [home] machine. When I created myapp on the Linux machine, I created a myapp using the "New simple application create" function. I never [to my knowledge] altered anything related to CRYPT. So i believe the pbkdf2 algo was generated at app creation time on the Linux [webfaction] machine. BTW3: to pass around an app just ... Thanks BIG TIME for this. I will try these suggestions. BTW4: I seem to recall that very old python calculated hashes differently. I am using python 2.7 on BOTH the Windows and Linux machines. Thanks for the responses, Niphlod. I'll report back after trying BTW3. Thanks again, Niphlod. Love and peace, Joe On Thursday, December 6, 2012 12:19:40 PM UTC-8, Niphlod wrote: > > appadmin.py ships with the application, so if you really copied the > "controllers" folder you'd have the same file. > BTW, pbkdf2 was introduced ~2 months ago. > BTW2: if you copied an app that used the sha512 algo an tried to load it > into a *newer* web2py release, as soon as the user entered the password > would be updated to the pbkdf2 algo (unless you were using some explicit > IS_CRYPT() validator or the auth_key param on auth, I think). > BTW3: to pass around an app just log into admin and hit "create package" > (or tar.gz the entire applications/myapp folder and load it locally with > "upload package") > BTW4: I seem to recall that very old python calculated hashes differently. > However, it would not be the case unless BTW2 (some fixed auth_key in auth > instantiation or explicit IS_CRYPT() validator) > > --
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
appadmin.py ships with the application, so if you really copied the "controllers" folder you'd have the same file. BTW, pbkdf2 was introduced ~2 months ago. BTW2: if you copied an app that used the sha512 algo an tried to load it into a *newer* web2py release, as soon as the user entered the password would be updated to the pbkdf2 algo (unless you were using some explicit IS_CRYPT() validator or the auth_key param on auth, I think). BTW3: to pass around an app just log into admin and hit "create package" (or tar.gz the entire applications/myapp folder and load it locally with "upload package") BTW4: I seem to recall that very old python calculated hashes differently. However, it would not be the case unless BTW2 (some fixed auth_key in auth instantiation or explicit IS_CRYPT() validator) --
[web2py] Re: How to "fix" CRYPT differences between Windows and Linux?
By the way, I was just thinking about a work around for my problem when i decided to do a DIFF between the webfaction controllers/appadmin.py file and the one on windows. THEY ARE DIFFERENT. I did not expect that. Here is a link to the 2 files, appadmin.py.windows, appadmin.py.linux for download. http://theo.jdor.webfactional.com/dl/web2py-google-group/2QjSeDaV_K0/ When trying to post this reply on my original post with attachments, i kept getting "An error (#340) occurred while communicating with the server." I tried from both firefox and opera. Thanks again. Love and peace, Joe On Thursday, December 6, 2012 10:23:54 AM UTC-8, JoeCodeswell wrote: > > Dear web2py folks, > > I created myapp on webfaction and demonstrated it to my prospective > client. Then i wanted to make a dev copy on my windows machine so: > >1. I created myapp on windows. Both windows and webfaction are >running web2py version 2.2.1 stable from source, db = >DAL('sqlite://storage.sqlite'). >2. I copied the following directories from webfaction to my windows >app [controllers, databases, models, modules, static, uploads, views] >3. I fired up myapp on windows and i couldn't Login using any of the >user logins i had created on webfaction. Each try just returns to the > login >page without comment. >4. Then i went into the windows edit myapp database administration and >added a new user. I noticed that the new user password was enCRYPTed using >sha512, whereas the webfaction user passwords were using >pbkdf2(1000,20,sha512) > > So my question is the following. > > What is the proper way to copy the directories from Linux to Windows to > "fix" the CRYPT differences so that myapp is the same on windows as it is > on Linux? > > Thanks for the help in advance. > > Love and peace, > > Joe > --