This forum is in permanent archive mode. Our new active community can be found here.

Weekend coding

1131416181939

Comments

  • I'm not looking to compare an entered password to a saved one, just saving the one a server requires a client to enter, the secure login is already set up (it's an ssh server with password authentication). I just don't want users to have to enter the password every time they want to start the server.
    SSH? Easy, set up SSH key pairs between the two machines: http://www.ece.uci.edu/~chou/ssh-key.html

    If you can't set up SSH key-based authentication on the server, well, yeah, you may be effed.
  • I did a bit of research and used AES encryption.
  • edited May 2013
    I did a bit of research and used AES encryption.
    Interesting choice, but how are you generating the AES keys such that you're using the correct one when you need to retrieve the password?
    Post edited by Linkigi(Link-ee-jee) on
  • I did a bit of research and used AES encryption.
    Interesting choice, but how are you generating the AES keys such that you're using the correct one when you need to retrieve the password?
    http://stackoverflow.com/questions/7014953/i-need-to-securely-store-a-username-and-password-in-python-what-are-my-options Answer #5

  • edited May 2013
    I did a bit of research and used AES encryption.
    Not sure if you're in this boat, but just a heads up - generally you don't want to roll your own security. There's mathematicians whose whole job is to get this stuff right. And even then they don't always get it right.
    Post edited by Starfox on
  • edited May 2013
    That's what the AES block cipher is there for - as long as you're using a sufficiently unpredictable key and a well-tested algorithm for the calculations, it's not that feasible to break.

    That's why the code is using the existing libraries for pretty much everything. It's generating a salt value unique to each password you store and then doing AES on that password with the salt as the AES key. The salt generation itself also goes through AES, so you can only figure out the salt if you know its seed value and the "key" to locate the password in the database.

    What you get is a two files, a table of contents and the database itself, full of unique AES hashes where decrypting the hash requires both knowing the seed value (stored in the script) and the database key (stored in the table of contents).

    It's not particularly secure in that anybody who can read both files and the script can do it themselves, but it prevents a casual onlooker/someone without system access from breaking it easily. The use of a pseudorandom salt for each password effectively prevents the only reasonable method of breaking through AES encryption itself, i.e. lots of computing power + rainbow tables.
    Post edited by Linkigi(Link-ee-jee) on
  • edited May 2013
    I did a bit of research and used AES encryption.
    Not sure if you're in this boat, but just a heads up - generally you don't want to roll your own security. There's mathematicians whose whole job is to get this stuff right. And even then they don't always get it right.
    I didn't roll my own security, I used the standard of AES security.
    Post edited by Pegu on
  • Yeah, as my long post just said, the encryption itself is good.

    There are a hundred ways to attack it, still, but those aren't through the encryption. They consist mostly of getting admin access and reading the files, or if you're good you can swipe values out of RAM while the program is running (make sure you overwrite all variables with 0s/nonsense after using them if you care about that).
  • edited May 2013
    That's what the AES block cipher is there for - as long as you're using a sufficiently unpredictable key and a well-tested algorithm for the calculations, it's not that feasible to break.
    Yeah, I know about it. The one caveat, as you say:
    It's not particularly secure in that anybody who can read both files and the script can do it themselves
    But if they have that level of access, you're screwed already.
    I didn't roll my own security, I used the standard of AES security.
    Sure, but keep in mind just because something uses AES doesn't mean it's totally secure. Only as strong as the weakest link, an infinitude of insecure ways to write something and all that.

    That said, I don't know your situation or expertise level, so you may know much better than anyone here what you're doing. ^_~
    Post edited by Starfox on
  • Can anyone help with my stackoverflow question? It hasn't gotten much attention.
  • What about this one?
  • If I build something in Ubuntu, what is it compatible with? Debian distros? I'm building with PyInstaller if it makes a difference.
  • edited June 2013
    The compiler spits out the binaries which need to be copied to folders such as bin to execute. Debian package files are a way of automating this.

    Really, any binary can run from anywhere, but organizing things makes it easier to manage.
    Post edited by Omnutia on
  • Alright, so I'll make some Debian package files. Will the binaries be compatible with systems other than Debian if I leave them alone?
  • Kinda, but only if they're designed to all run from one folder.
    The usual method is to make the packages you want and also provide the source code for people to compile it themselves.
  • It's designed to run from a single folder. I'd like to refrain from giving away the source, partly because it's the server for an app I'd like to sell, and partly because I don't want people breaking the encryption by getting the salt.
  • Ah, then it's on you to get the packages built. There are tutorials out there on getting the folder structure right and automating the packaging.
  • edited June 2013
    Considering I haven't built an installer for Windows, I'm not sure I should bother creating a package for Debian.
    Post edited by Pegu on
  • I don't have an rpm.
  • If you make a deb it will go the other way to.
  • I've decided not to bother. Didn't make an installer for Windows.
  • For the manyth time, I'm yet again trying to work out how to easily install Python modules or packages. I have failed to get this working smoothly in the past, and never understand what I've done right or wrong when something eventually works.

    Unfortunately I've never managed to find a single explanation of what is going on, or a simple way to make stuff happen each time. I don't know where to put folders or modules, I don't know what to type at the prompt, I don't know what to click on.

    Even tools which are designed to make this process easy presume I have a basic knowledge of what I'm doing. I really don't. For example:

    "Since pip depends on setuptools, you’ll need to install that first. I’ve written a small (experimental) script to make this easier — just download getpip.py and run it in the Python interpreter. (On Mac OS or Linux, you may need to run it as ‘sudo python getpip.py’.) This will install (or upgrade) setuptools, then use easy_install to install pip.

    When that’s done, you can verify that pip is installed by running:

    pip help

    If it works, you’re done. Wasn’t that easy?"

    No it wasn't! Where do I type "pip help"? At the bash prompt? In the python interpreter? Turns out both return errors.

    "If it didn’t work, you should try installing setuptools by following the detailed installation instructions. "

    So I try to follow those instructions:

    "Download ez_setup.py and run it using the target Python version."

    Fuck you! I'm trying to make downloading modules and packages easier because I'm obviously having problems with setting stuff up! A python extension isn't working on my mac due to 32bit vs 64bit issues, and I'm out of my depth! My problem is that I don't know what the target version is!

    "I highly recommend that you start using virtualenv, if you don’t already."

    So I look at virtualenv:

    "To install globally with pip (if you have pip-1.3 or greater installed globally):

    $ [sudo] pip install virtualenv"

    Fuuuuuuuuuuck!

    Is there some magical pill programmers take that makes magically know how to install stuff? Because I've not found a single how-to guide which explains how to install anything, only tools that make it easier, and EVERY SINGLE SETUP GUIDE presumes I already know how to do the thing I can't do which their tool makes easier.

    Why can't anyone just write a guide which presumes I don't know anything? All I want to do is sort a list with ä and ü and ö turning up in the right place... why should it hurt my brain so much?
  • Luke, I made a series of YouTube videos that explains the whole thing. They're a little old, but they shouldn't be so out of date as to be incorrect. I don't have time right now to watch them and verify.



    If that doesn't help you, I can give you a lesson via Hangout or something.
  • You see, 44 seconds into that video I hit the first problem. I type "aptitude search django" and, because I'm on a mac, I get command not found. I don't know why that is wrong, or if it has to do with me being on mac OSX, or if I'm not at the right prompt, or if I'm not the right user.

    It's like this every time. There's a crucial bit of knowledge which, because I don't know it, or even know if it's possible for me to know it, that fucks me up. And it's different each time. I then spend 30 minutes searching on google, I don't find an answer, and after that I'm still only 44 seconds into a 5 part webcast.

    Maybe a lesson would be the easiest thing, as I'm sure my questions are super simple, I just don't know what to ask.
  • OOOOH. You're on a Mac. Now you know why I use Linux for all software development.

    Do you have homebrew installed?

    http://mxcl.github.io/homebrew/
  • You see, installing that just worked. Over the many attempts over many years, that's the first time I've ever seen a page that said "Paste that at a Terminal prompt" and, when I did, it actually worked. First time ever.

    So yes, I guess I now do have homebrew installed. However, I've no idea if I was meant to install it as a user (lukeburrage) or not. I have a feeling not knowing this will bite me in the ass later.
  • edited July 2013
    You see, installing that just worked. Over the many attempts over many years, that's the first time I've ever seen a page that said "Paste that at a Terminal prompt" and, when I did, it actually worked. First time ever.

    So yes, I guess I now do have homebrew installed. However, I've no idea if I was meant to install it as a user (lukeburrage) or not. I have a feeling not knowing this will bite me in the ass later.
    I'm pretty sure you are supposed to install homebrew as a user, and not as root. Not 100% sure because I don't program on a Mac. Now you can start to see why. I'm constantly mystified as to how I see mostly Macs at tech conferences.

    I'm home all day today if you want to hangout or screenshare or something.
    Post edited by Apreche on
  • It's a catch 222222 situation.

    Every solution to a sticky problem assumes I have knowledge in or of one area. I google that, and all I find are solutions that assume I have knowledge in or of the very are I'm stuck with in the first place.

    Sometimes it's as simple as that, but often there are more steps along the way. I understand step 2, 3, 4, and 5, but step 6 assumes I already understand step 1.

    Or it assumes I'm on linux. Or it assumes I already have other packages installed. Or it assumes one other key piece, and that piece is, invariably, the thing I'm stuck with in the first place.
  • For example, I understand everything in that first video of yours, except the same commands don't work. And, of course, the problem has to do with mac, and all solutions will assume I can already do what it is I'm having problems with already.
Sign In or Register to comment.