Thanks for the response, Massimo. I have the auth.key. However, I am a bit concerned about publishing it here since I have potential clients that are looking at myapp on webfaction right now. I am concerned about what i have already published. What do you suggest I do?
Thanks in advance. Love and peace, Joe On Saturday, December 8, 2012 2:41:52 PM UTC-8, Massimo Di Pierro wrote: > > The fact is that > > >>> > CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0" > False > > because the stored hashed password depends on the salt but also on the key > stores in private/auth.key and I do not know what that is. > > On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote: >> >> Sure, Niphlod. I didn't see your post before i posted my comment about my >> local ubuntu machine which seems to behave like my local windows machine. >> >> 1. can we see how auth is istantiated in your app ? >> >> In db.py >> from gluon.tools import Auth, Crud, Service, PluginManager, prettydate >> auth = Auth(db, hmac_key=Auth.get_or_create_key()) >> >> 2. can you pass us the database (or just one of the auth_user records >> along with the "unencrypted password") >> >> Here's part of the csv export from webfaction. This is the entry that is >> awaiting approval. I have no problem giving this out because it is a dummy >> that i created to test approval. >> >> auth_user.id >> ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id >> 5,New,Person,new...@fowl.com >> ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,, >> >> Here's the unencrypted pw: NewFish04pw >> >> Thanks for the help, Niphlod. >> >> Love and peace, >> >> Joe >> >> >> On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote: >>> >>> Thanks Joe... >>> 1. can we see how auth is istantiated in your app ? >>> 2. can you pass us the database (or just one of the auth_user records >>> along with the "unencrypted password") >>> >>> With those, we could easily reproduce the behaviour (i.e. trying to >>> login in the app with the password with exactly your auth_user records) and >>> see what is going on.... >>> >>> On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote: >>>> >>>> Hi Niphlod, >>>> >>>> Here is my report on your suggestion: >>>> >>>>> BTW3: to pass around an app just log into admin and hit "create >>>>> package" (or tar.gz the entire applications/myapp folder and load it >>>>> locally with "upload package") >>>> >>>> On webfaction-web2py-admin: >>>> for myapp clicked the "Pack all" button & downloaded >>>> "web2py.app.myapp.w2p" to myLocalMachine >>>> On myLocalMachine in web2py-admin : >>>> >>>> 1. deleted myapp >>>> 2. in Upload and install packed application: >>>> 1. Application name: myapp >>>> 2. Upload a package: path-to/ web2py.app.myapp.w2p >>>> 3. Or Get from URL: <LEFT BLANK> >>>> 4. [ ] Overwrite installed app # left this checkbox >>>> UNCHECKED >>>> 5. Clicked "Install" >>>> 6. Flash said: application myapp installed with md5sum: >>>> 7632e93e985802371a0071a4daca49c7 >>>> >>>> TO TEST >>>> 1. Tried logging in with all 4 {email, pw} sets that work on >>>> webfaction: RESULT: >>>> myLocalMachine COULD NOT LOGIN - returning to the login page >>>> without comment. >>>> webfaction LOGINS JUST FINE >>>> 2. There is one user on webfaction waiting registration approval. >>>> Testing that {email,pw} RESULT >>>> myLocalMachine COULD NOT LOGIN - returning to the login page >>>> without comment. >>>> webfaction FLASH RESPONSE - "Registration is pending >>>> approval" >>>> 3. Inspecting myLocalMachine in Database Administration RESULT: >>>> a. all 5 of the users on webfaction are also on myLocalMachine >>>> b. all 5 of the users on myLocalMachine have passwords that begin >>>> with "pbkdf2(1000,20,sha512)$" >>>> 4. On myLocalMachine in Database Administration, >>>> a. I click [ insert new auth_user ] and insert >>>> First name: local >>>> Last name: user >>>> E-mail: lo...@here.com >>>> Password: localuserpw >>>> Registration key: none >>>> Reset Password key: none >>>> Registration identifier: none >>>> b. RESULTS: >>>> 1. flash response: new record inserted >>>> 2. Password for lo...@here.com begins with >>>> "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post. >>>> 3. On myLocalMachine, when i try to login with { lo...@here.com, >>>> localuserpw} - COULD NOT LOGIN >>>> - it returned to the login page without comment. >>>> >>>> OK so I think I still need some help with "fix"ing CRYPT differences >>>> between Windows and Linux. >>>> >>>> Thanks in advance. >>>> >>>> Love and peace, >>>> >>>> Joe >>>> >>>> On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote: >>>>> >>>>> Dear Niphlod, >>>>> >>>>> Thanks for the reply. >>>>> >>>>> appadmin.py ships with the application, so if you really copied the >>>>>> "controllers" folder you'd have the same file. >>>>> >>>>> Of course you are right. I only copied the files i [thought i] had >>>>> changed. That's why i was surprised to find that >>>>> appadmin.py.windows != appadmin.py.linux >>>>> >>>>> BTW, pbkdf2 was introduced ~2 months ago >>>>>> >>>>> I created myapp on the Linux [webfaction] machine yesterday. I tried >>>>> to copy it to my Windows [home] machine today. >>>>> >>>>> BTW2: if you copied an app that used the sha512 algo an tried to load >>>>>> it into a *newer* web2py release... >>>>> >>>>> I am trying to copy myapp FROM the Linux [webfaction] machine TO my >>>>> Windows [home] machine. When I created myapp on the Linux machine, I >>>>> created a myapp using the "New simple application create" function. I >>>>> never >>>>> [to my knowledge] altered anything related to CRYPT. So i believe the >>>>> pbkdf2 algo was generated at app creation time on the Linux [webfaction] >>>>> machine. >>>>> >>>>> BTW3: to pass around an app just ... >>>>> >>>>> Thanks BIG TIME for this. I will try these suggestions. >>>>> >>>>> BTW4: I seem to recall that very old python calculated hashes >>>>>> differently. >>>>> >>>>> I am using python 2.7 on BOTH the Windows and Linux machines. >>>>> >>>>> Thanks for the responses, Niphlod. I'll report back after trying BTW3. >>>>> >>>>> Thanks again, Niphlod. >>>>> >>>>> Love and peace, >>>>> >>>>> Joe >>>>> >>>>> >>>>> On Thursday, December 6, 2012 12:19:40 PM UTC-8, Niphlod wrote: >>>>>> >>>>>> appadmin.py ships with the application, so if you really copied the >>>>>> "controllers" folder you'd have the same file. >>>>>> BTW, pbkdf2 was introduced ~2 months ago. >>>>>> BTW2: if you copied an app that used the sha512 algo an tried to load >>>>>> it into a *newer* web2py release, as soon as the user entered the >>>>>> password would be updated to the pbkdf2 algo (unless you were using some >>>>>> explicit IS_CRYPT() validator or the auth_key param on auth, I think). >>>>>> BTW3: to pass around an app just log into admin and hit "create >>>>>> package" (or tar.gz the entire applications/myapp folder and load it >>>>>> locally with "upload package") >>>>>> BTW4: I seem to recall that very old python calculated hashes >>>>>> differently. However, it would not be the case unless BTW2 (some fixed >>>>>> auth_key in auth instantiation or explicit IS_CRYPT() validator) >>>>>> >>>>>> --