Hi,
on the second try i found out that the way to avoid the need for pip
is package "python-bcrypt". I asked the wrong question to apt-file
on the first try.
Thanks to python's help("bcrypt") i can also avoid passlib:
$ python
>>> import bcrypt
>>> bcrypt.gensalt(16)
'$2b$16$joRzQDFBqWzio.8tjWzJaO'
>>> bcrypt.hashpw("ElmerFudpecker",'$2b$16$joRzQDFBqWzio.8tjWzJaO')
'$2b$16$joRzQDFBqWzio.8tjWzJaOdnF5Wha3xW/WDIJQEsI59mvvBZr5lMe'
>>> bcrypt.hashpw("ElmerFudpecker",'$2b$16$joRzQDFBqWzio.8tjWzJaO')
'$2b$16$joRzQDFBqWzio.8tjWzJaOdnF5Wha3xW/WDIJQEsI59mvvBZr5lMe'
The speed on real iron is quite the same: 3.6 seconds with cost 16.
But i get a different salt type than on Sid and cannot use the one from Sid.
>>> bcrypt.hashpw("ElmerFudpecker",'$2b$16$joRzQDFBqWzio.8tjWzJaO')
...
ValueError: Invalid salt
>>> bcrypt.gensalt(16)
'$2a$16$TO/1Wc6L2wC8SgJpgQEV9e'
>>> bcrypt.hashpw("ElmerFudpecker",'$2a$16$TO/1Wc6L2wC8SgJpgQEV9e')
'$2a$16$TO/1Wc6L2wC8SgJpgQEV9eYsyzF0Gp8iiq/DpEuxGhRExoRf3hyqG'
Note the "$2a$" instead of "$2b$".
To my luck, Sid's bcrypt accepts the Jessie salt and produces the same hash
as Jessie's bcrypt.
So one will not have to change all remote passwords when upgrading bcrypt.
"$2a$" seems to be deprecated according to:
http://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html
"some implementations suffered from rare security flaws, replaced by 2b."
Nevertheless. How to avoid python ?
Have a nice day :)
Thomas
