Dear Massimo,
Thanks for the reply.
I just did a diff between the webfaction private/auth.key file and the
localWindowsMachine private/auth.key file.
RESULT: *Files Match*.
History::
*Local Windows Machine*
In response to Niphlod's BTW3 suggestion, which he made on Dec 6 in this
thread, to copy FROM webfaction TO my local windows machine I:
1. on webfaction used "create package"
2. on localWindowsMachine used "upload package"
You can see the details in my response to Niphlod, made on Dec 8 in this
thread, starting with "Hi Niphlod, Here is my report on your suggestion:".
*Local Ubuntu Machine*
ALSO, i used the "create package"/"upload package" technique FROM
webfaction TO my local Ubuntu Machine. It DID NOT WORK. Please see my Dec 8
post, starting with: "Dear web2py folks, I also have a local ubuntu ...".
So, to me, there still seems to be a problem.
Thanks for your kelp, Massimo.
Love and peace,
Joe
On Monday, December 10, 2012 4:28:50 PM UTC-8, Massimo Di Pierro wrote:
>
> You should not publish your key.
>
> What I am saying is that as online as your key is the same used to create
> the hashes, the CRYPT validators should do the right job.
>
> If you want your dev app and production to share data, they must share the
> same key.
>
> Another option is not using the key at all. The web web2py salts all
> passwords. The global key adds an extra layer of security but it is no
> longer as important as it used to be when salting was not done. In fact the
> new welcome no longer creates auth.key.
>
> This makes it easier sharing salted passwords between different
> installations of web2py apps.
>
>
> On Monday, 10 December 2012 13:26:55 UTC-6, JoeCodeswell wrote:
>>
>> Thanks for the response, Massimo.
>>
>> I have the auth.key. However, I am a bit concerned about publishing it
>> here since I have potential clients that are looking at myapp on webfaction
>> right now. I am concerned about what i have already published. What do you
>> suggest I do?
>>
>> Thanks in advance.
>>
>> Love and peace,
>>
>> Joe
>>
>> On Saturday, December 8, 2012 2:41:52 PM UTC-8, Massimo Di Pierro wrote:
>>>
>>> The fact is that
>>>
>>> >>>
>>> CRYPT()('NewFish04pw')=="pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0"
>>> False
>>>
>>> because the stored hashed password depends on the salt but also on the
>>> key stores in private/auth.key and I do not know what that is.
>>>
>>> On Saturday, 8 December 2012 14:26:25 UTC-6, JoeCodeswell wrote:
>>>>
>>>> Sure, Niphlod. I didn't see your post before i posted my comment about
>>>> my local ubuntu machine which seems to behave like my local windows
>>>> machine.
>>>>
>>>> 1. can we see how auth is istantiated in your app ?
>>>>
>>>> In db.py
>>>> from gluon.tools import Auth, Crud, Service, PluginManager, prettydate
>>>> auth = Auth(db, hmac_key=Auth.get_or_create_key())
>>>>
>>>> 2. can you pass us the database (or just one of the auth_user records
>>>> along with the "unencrypted password")
>>>>
>>>> Here's part of the csv export from webfaction. This is the entry that
>>>> is awaiting approval. I have no problem giving this out because it is a
>>>> dummy that i created to test approval.
>>>>
>>>> auth_user.id
>>>> ,auth_user.first_name,auth_user.last_name,auth_user.email,auth_user.password,auth_user.registration_key,auth_user.reset_password_key,auth_user.registration_id
>>>> 5,New,Person,new...@fowl.com
>>>> ,"pbkdf2(1000,20,sha512)$a94f2bd3a071cfa8$69e71be8683802edbb83dfc2cb97dfea97ab76c0",pending,,
>>>>
>>>> Here's the unencrypted pw: NewFish04pw
>>>>
>>>> Thanks for the help, Niphlod.
>>>>
>>>> Love and peace,
>>>>
>>>> Joe
>>>>
>>>>
>>>> On Saturday, December 8, 2012 11:54:09 AM UTC-8, Niphlod wrote:
>>>>>
>>>>> Thanks Joe...
>>>>> 1. can we see how auth is istantiated in your app ?
>>>>> 2. can you pass us the database (or just one of the auth_user records
>>>>> along with the "unencrypted password")
>>>>>
>>>>> With those, we could easily reproduce the behaviour (i.e. trying to
>>>>> login in the app with the password with exactly your auth_user records)
>>>>> and
>>>>> see what is going on....
>>>>>
>>>>> On Saturday, December 8, 2012 8:18:58 PM UTC+1, JoeCodeswell wrote:
>>>>>>
>>>>>> Hi Niphlod,
>>>>>>
>>>>>> Here is my report on your suggestion:
>>>>>>
>>>>>>> BTW3: to pass around an app just log into admin and hit "create
>>>>>>> package" (or tar.gz the entire applications/myapp folder and load it
>>>>>>> locally with "upload package")
>>>>>>
>>>>>> On webfaction-web2py-admin:
>>>>>> for myapp clicked the "Pack all" button & downloaded
>>>>>> "web2py.app.myapp.w2p" to myLocalMachine
>>>>>> On myLocalMachine in web2py-admin :
>>>>>>
>>>>>> 1. deleted myapp
>>>>>> 2. in Upload and install packed application:
>>>>>> 1. Application name: myapp
>>>>>> 2. Upload a package: path-to/ web2py.app.myapp.w2p
>>>>>> 3. Or Get from URL: <LEFT BLANK>
>>>>>> 4. [ ] Overwrite installed app # left this checkbox
>>>>>> UNCHECKED
>>>>>> 5. Clicked "Install"
>>>>>> 6. Flash said: application myapp installed with md5sum:
>>>>>> 7632e93e985802371a0071a4daca49c7
>>>>>>
>>>>>> TO TEST
>>>>>> 1. Tried logging in with all 4 {email, pw} sets that work on
>>>>>> webfaction: RESULT:
>>>>>> myLocalMachine COULD NOT LOGIN - returning to the login page
>>>>>> without comment.
>>>>>> webfaction LOGINS JUST FINE
>>>>>> 2. There is one user on webfaction waiting registration approval.
>>>>>> Testing that {email,pw} RESULT
>>>>>> myLocalMachine COULD NOT LOGIN - returning to the login page
>>>>>> without comment.
>>>>>> webfaction FLASH RESPONSE - "Registration is pending
>>>>>> approval"
>>>>>> 3. Inspecting myLocalMachine in Database Administration RESULT:
>>>>>> a. all 5 of the users on webfaction are also on myLocalMachine
>>>>>> b. all 5 of the users on myLocalMachine have passwords that begin
>>>>>> with "pbkdf2(1000,20,sha512)$"
>>>>>> 4. On myLocalMachine in Database Administration,
>>>>>> a. I click [ insert new auth_user ] and insert
>>>>>> First name: local
>>>>>> Last name: user
>>>>>> E-mail: lo...@here.com
>>>>>> Password: localuserpw
>>>>>> Registration key: none
>>>>>> Reset Password key: none
>>>>>> Registration identifier: none
>>>>>> b. RESULTS:
>>>>>> 1. flash response: new record inserted
>>>>>> 2. Password for lo...@here.com begins with
>>>>>> "pbkdf2(1000,20,sha512)$" NOT "sha512" as in my original post.
>>>>>> 3. On myLocalMachine, when i try to login with {
>>>>>> lo...@here.com, localuserpw} - COULD NOT LOGIN
>>>>>> - it returned to the login page without comment.
>>>>>>
>>>>>> OK so I think I still need some help with "fix"ing CRYPT differences
>>>>>> between Windows and Linux.
>>>>>>
>>>>>> Thanks in advance.
>>>>>>
>>>>>> Love and peace,
>>>>>>
>>>>>> Joe
>>>>>>
>>>>>> On Thursday, December 6, 2012 4:34:23 PM UTC-8, JoeCodeswell wrote:
>>>>>>>
>>>>>>> Dear Niphlod,
>>>>>>>
>>>>>>> Thanks for the reply.
>>>>>>>
>>>>>>> appadmin.py ships with the application, so if you really copied the
>>>>>>>> "controllers" folder you'd have the same file.
>>>>>>>
>>>>>>> Of course you are right. I only copied the files i [thought i] had
>>>>>>> changed. That's why i was surprised to find that
>>>>>>> appadmin.py.windows != appadmin.py.linux
>>>>>>>
>>>>>>> BTW, pbkdf2 was introduced ~2 months ago
>>>>>>>>
>>>>>>> I created myapp on the Linux [webfaction] machine yesterday. I tried
>>>>>>> to copy it to my Windows [home] machine today.
>>>>>>>
>>>>>>> BTW2: if you copied an app that used the sha512 algo an tried to
>>>>>>>> load it into a *newer* web2py release...
>>>>>>>
>>>>>>> I am trying to copy myapp FROM the Linux [webfaction] machine TO my
>>>>>>> Windows [home] machine. When I created myapp on the Linux machine, I
>>>>>>> created a myapp using the "New simple application create" function. I
>>>>>>> never
>>>>>>> [to my knowledge] altered anything related to CRYPT. So i believe the
>>>>>>> pbkdf2 algo was generated at app creation time on the Linux
>>>>>>> [webfaction]
>>>>>>> machine.
>>>>>>>
>>>>>>> BTW3: to pass around an app just ...
>>>>>>>
>>>>>>> Thanks BIG TIME for this. I will try these suggestions.
>>>>>>>
>>>>>>> BTW4: I seem to recall that very old python calculated hashes
>>>>>>>> differently.
>>>>>>>
>>>>>>> I am using python 2.7 on BOTH the Windows and Linux machines.
>>>>>>>
>>>>>>> Thanks for the responses, Niphlod. I'll report back after trying
>>>>>>> BTW3.
>>>>>>>
>>>>>>> Thanks again, Niphlod.
>>>>>>>
>>>>>>> Love and peace,
>>>>>>>
>>>>>>> Joe
>>>>>>>
>>>>>>>
>>>>>>> On Thursday, December 6, 2012 12:19:40 PM UTC-8, Niphlod wrote:
>>>>>>>>
>>>>>>>> appadmin.py ships with the application, so if you really copied the
>>>>>>>> "controllers" folder you'd have the same file.
>>>>>>>> BTW, pbkdf2 was introduced ~2 months ago.
>>>>>>>> BTW2: if you copied an app that used the sha512 algo an tried to
>>>>>>>> load it into a *newer* web2py release, as soon as the user entered
>>>>>>>> the password would be updated to the pbkdf2 algo (unless you were
>>>>>>>> using
>>>>>>>> some explicit IS_CRYPT() validator or the auth_key param on auth, I
>>>>>>>> think).
>>>>>>>> BTW3: to pass around an app just log into admin and hit "create
>>>>>>>> package" (or tar.gz the entire applications/myapp folder and load it
>>>>>>>> locally with "upload package")
>>>>>>>> BTW4: I seem to recall that very old python calculated hashes
>>>>>>>> differently. However, it would not be the case unless BTW2 (some fixed
>>>>>>>> auth_key in auth instantiation or explicit IS_CRYPT() validator)
>>>>>>>>
>>>>>>>>
--
