Interesting...A third machine produces the same value as my
development machine. It looks like Dreamhost has something whacky
with their python install. Oh well, it's my problem now! Thanks for
helping me track it down.
On Aug 23, 6:59 pm, "mr.freeze" <nat...@freezable.com> wrote:
> Yes, varchar(128). Here's the output of that command on both servers
> from the terminal:
>
> Production:>>> import hmac
> >>> import hashlib
> >>> d= hmac.new('mykey','mypass',hashlib.sha512)
> >>> d.hexdigest()
>
> '485c79d8330897e613847f64333a0ccebd705b1902c4c4872cb1b7cc9ad856eb00e70dd11474b39282699a453dead6d86d6f482992778bb9166d9c920f9fa694'
>
> Development:>>> import hmac
> >>> import hashlib
> >>> d = hmac.new('mykey','mypass',hashlib.sha512)
> >>> d.hexdigest()
>
> '46fb33cd6220b470d7fecb3dfb547fb2501517ca9695f8527895d1a4a1e515c0a05c8c1f15bd6f0439848717af00bdde902b50be454dd81878a9fce362b2e501'
>
> They're supposed to be the same, right? Or am I misunderstanding how
> this works.
>
> On Aug 23, 6:34 pm, mdipierro <mdipie...@cs.depaul.edu> wrote:
>
> > I cannot reproduce any machine dependence. I tried:
>
> > hmac.new('mykey','something',hashlib.sha512).hexdigest()
>
> > How long is your password field. Is it 128 bytes?
>
> > Massimo
>
> > On Aug 23, 5:57 pm, "mr.freeze" <nat...@freezable.com> wrote:
>
> > > I have a strange situation and I know virtually nothing about
> > > cryptography. I am passing a key to my auth password requires
> > > statement after the recent discussion on security strength like so:
>
> > > if "login" in request.args:
> > > t.password.requires = [CRYPT(key='mykey')]
> > > else:
> > > t.password.requires = [IS_STRONG(upper=1,number=1,special=1),CRYPT
> > > (key='mykey')]
>
> > > Here's the weird part: I have a dev server and a production server
> > > that are both running web2py and pointed to the same MySQL database.
> > > If I reset a user password from the dev server (retrieve_password), I
> > > can only log in from the dev server after that. The same is true for
> > > the production machine. Resetting from the production server reverses
> > > the situation.
>
> > > I have stepped through the code and verified that at line 779 in
> > > tools.py user[passfield] is indeed different than form.vars.get
> > > (passfield, '') (both look like valid password hashes) so user = None,
> > > and thus login fails.
>
> > > All I can figure is that the encryption is bound to the machine that
> > > generated the password hash. I'm using the same version of Python and
> > > web2py. Can someone verify or explain?
>
> > > As always, thanks for your help.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
