Dear Massimo, Thanks for the reply.
I just did a diff between the webfaction private/auth.key file and the localWindowsMachine private/auth.key file. RESULT: *Files Match*. History:: *Local Windows Machine* In response to Niphlod's BTW3 suggestion, which he made on Dec 6 in this thread, to copy FROM webfaction TO my local windows machine I: 1. on webfaction used "create package" 2. on localWindowsMachine used "upload package" You can see the details in my response to Niphlod, made on Dec 8 in this thread, starting with "Hi Niphlod, Here is my report on your suggestion:". *Local Ubuntu Machine* ALSO, i used the "create package"/"upload package" technique FROM webfaction TO my local Ubuntu Machine. It DID NOT WORK. Please see my Dec 8 post, starting with: "Dear web2py folks, I also have a local ubuntu ...". So, to me, there still seems to be a problem. Thanks for your kelp, Massimo. Love and peace, Joe On Monday, December 10, 2012 4:28:50 PM UTC-8, Massimo Di Pierro wrote: > > You should not publish your key. > > What I am saying is that as online as your key is the same used to create > the hashes, the CRYPT validators should do the right job. > > If you want your dev app and production to share data, they must share the > same key. > > Another option is not using the key at all. The web web2py salts all > passwords. The global key adds an extra layer of security but it is no > longer as important as it used to be when salting was not done. In fact the > new welcome no longer creates auth.key. > > This makes it easier sharing salted passwords between different > installations of web2py apps. > > > On Monday, 10 December 2012 13:26:55 UTC-6, JoeCodeswell wrote: >> >> Thanks for the response, Massimo. >> >> I have the auth.key. However, I am a bit concerned about publishing it >> here since I have potential clients that are looking at myapp on webfaction >> right now. I am concerned about what i have already published. What do you >> suggest I do? >> >> Thanks in advance. >> >> Love and peace, >> >> Joe >> >> On Saturday, December 8, 2012 2:41:52 PM UTC-8, Massimo Di Pierro wrote: >>> >>> The fact is that >>> >>> >>> >>> CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0" >>> False >>> >>> because the stored hashed password depends on the salt but also on the >>> key stores in private/auth.key and I do not know what that is. >>> >>> On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote: >>>> >>>> Sure, Niphlod. I didn't see your post before i posted my comment about >>>> my local ubuntu machine which seems to behave like my local windows >>>> machine. >>>> >>>> 1. can we see how auth is istantiated in your app ? >>>> >>>> In db.py >>>> from gluon.tools import Auth, Crud, Service, PluginManager, prettydate >>>> auth = Auth(db, hmac_key=Auth.get_or_create_key()) >>>> >>>> 2. can you pass us the database (or just one of the auth_user records >>>> along with the "unencrypted password") >>>> >>>> Here's part of the csv export from webfaction. This is the entry that >>>> is awaiting approval. I have no problem giving this out because it is a >>>> dummy that i created to test approval. >>>> >>>> auth_user.id >>>> ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id >>>> 5,New,Person,new...@fowl.com >>>> ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,, >>>> >>>> Here's the unencrypted pw: NewFish04pw >>>> >>>> Thanks for the help, Niphlod. >>>> >>>> Love and peace, >>>> >>>> Joe >>>> >>>> >>>> On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote: >>>>> >>>>> Thanks Joe... >>>>> 1. can we see how auth is istantiated in your app ? >>>>> 2. can you pass us the database (or just one of the auth_user records >>>>> along with the "unencrypted password") >>>>> >>>>> With those, we could easily reproduce the behaviour (i.e. trying to >>>>> login in the app with the password with exactly your auth_user records) >>>>> and >>>>> see what is going on.... >>>>> >>>>> On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote: >>>>>> >>>>>> Hi Niphlod, >>>>>> >>>>>> Here is my report on your suggestion: >>>>>> >>>>>>> BTW3: to pass around an app just log into admin and hit "create >>>>>>> package" (or tar.gz the entire applications/myapp folder and load it >>>>>>> locally with "upload package") >>>>>> >>>>>> On webfaction-web2py-admin: >>>>>> for myapp clicked the "Pack all" button & downloaded >>>>>> "web2py.app.myapp.w2p" to myLocalMachine >>>>>> On myLocalMachine in web2py-admin : >>>>>> >>>>>> 1. deleted myapp >>>>>> 2. in Upload and install packed application: >>>>>> 1. Application name: myapp >>>>>> 2. Upload a package: path-to/ web2py.app.myapp.w2p >>>>>> 3. Or Get from URL: <LEFT BLANK> >>>>>> 4. [ ] Overwrite installed app # left this checkbox >>>>>> UNCHECKED >>>>>> 5. Clicked "Install" >>>>>> 6. Flash said: application myapp installed with md5sum: >>>>>> 7632e93e985802371a0071a4daca49c7 >>>>>> >>>>>> TO TEST >>>>>> 1. Tried logging in with all 4 {email, pw} sets that work on >>>>>> webfaction: RESULT: >>>>>> myLocalMachine COULD NOT LOGIN - returning to the login page >>>>>> without comment. >>>>>> webfaction LOGINS JUST FINE >>>>>> 2. There is one user on webfaction waiting registration approval. >>>>>> Testing that {email,pw} RESULT >>>>>> myLocalMachine COULD NOT LOGIN - returning to the login page >>>>>> without comment. >>>>>> webfaction FLASH RESPONSE - "Registration is pending >>>>>> approval" >>>>>> 3. Inspecting myLocalMachine in Database Administration RESULT: >>>>>> a. all 5 of the users on webfaction are also on myLocalMachine >>>>>> b. all 5 of the users on myLocalMachine have passwords that begin >>>>>> with "pbkdf2(1000,20,sha512)$" >>>>>> 4. On myLocalMachine in Database Administration, >>>>>> a. I click [ insert new auth_user ] and insert >>>>>> First name: local >>>>>> Last name: user >>>>>> E-mail: lo...@here.com >>>>>> Password: localuserpw >>>>>> Registration key: none >>>>>> Reset Password key: none >>>>>> Registration identifier: none >>>>>> b. RESULTS: >>>>>> 1. flash response: new record inserted >>>>>> 2. Password for lo...@here.com begins with >>>>>> "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post. >>>>>> 3. On myLocalMachine, when i try to login with { >>>>>> lo...@here.com, localuserpw} - COULD NOT LOGIN >>>>>> - it returned to the login page without comment. >>>>>> >>>>>> OK so I think I still need some help with "fix"ing CRYPT differences >>>>>> between Windows and Linux. >>>>>> >>>>>> Thanks in advance. >>>>>> >>>>>> Love and peace, >>>>>> >>>>>> Joe >>>>>> >>>>>> On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote: >>>>>>> >>>>>>> Dear Niphlod, >>>>>>> >>>>>>> Thanks for the reply. >>>>>>> >>>>>>> appadmin.py ships with the application, so if you really copied the >>>>>>>> "controllers" folder you'd have the same file. >>>>>>> >>>>>>> Of course you are right. I only copied the files i [thought i] had >>>>>>> changed. That's why i was surprised to find that >>>>>>> appadmin.py.windows != appadmin.py.linux >>>>>>> >>>>>>> BTW, pbkdf2 was introduced ~2 months ago >>>>>>>> >>>>>>> I created myapp on the Linux [webfaction] machine yesterday. I tried >>>>>>> to copy it to my Windows [home] machine today. >>>>>>> >>>>>>> BTW2: if you copied an app that used the sha512 algo an tried to >>>>>>>> load it into a *newer* web2py release... >>>>>>> >>>>>>> I am trying to copy myapp FROM the Linux [webfaction] machine TO my >>>>>>> Windows [home] machine. When I created myapp on the Linux machine, I >>>>>>> created a myapp using the "New simple application create" function. I >>>>>>> never >>>>>>> [to my knowledge] altered anything related to CRYPT. So i believe the >>>>>>> pbkdf2 algo was generated at app creation time on the Linux >>>>>>> [webfaction] >>>>>>> machine. >>>>>>> >>>>>>> BTW3: to pass around an app just ... >>>>>>> >>>>>>> Thanks BIG TIME for this. I will try these suggestions. >>>>>>> >>>>>>> BTW4: I seem to recall that very old python calculated hashes >>>>>>>> differently. >>>>>>> >>>>>>> I am using python 2.7 on BOTH the Windows and Linux machines. >>>>>>> >>>>>>> Thanks for the responses, Niphlod. I'll report back after trying >>>>>>> BTW3. >>>>>>> >>>>>>> Thanks again, Niphlod. >>>>>>> >>>>>>> Love and peace, >>>>>>> >>>>>>> Joe >>>>>>> >>>>>>> >>>>>>> On Thursday, December 6, 2012 12:19:40 PM UTC-8, Niphlod wrote: >>>>>>>> >>>>>>>> appadmin.py ships with the application, so if you really copied the >>>>>>>> "controllers" folder you'd have the same file. >>>>>>>> BTW, pbkdf2 was introduced ~2 months ago. >>>>>>>> BTW2: if you copied an app that used the sha512 algo an tried to >>>>>>>> load it into a *newer* web2py release, as soon as the user entered >>>>>>>> the password would be updated to the pbkdf2 algo (unless you were >>>>>>>> using >>>>>>>> some explicit IS_CRYPT() validator or the auth_key param on auth, I >>>>>>>> think). >>>>>>>> BTW3: to pass around an app just log into admin and hit "create >>>>>>>> package" (or tar.gz the entire applications/myapp folder and load it >>>>>>>> locally with "upload package") >>>>>>>> BTW4: I seem to recall that very old python calculated hashes >>>>>>>> differently. However, it would not be the case unless BTW2 (some fixed >>>>>>>> auth_key in auth instantiation or explicit IS_CRYPT() validator) >>>>>>>> >>>>>>>> --