Consequent to the community's request in December 2012, the AFRINIC whois database will no longer display hashes of MD5 and CRYPT encrypted passwords in all mntner (whois database) objects.
Currently, majority of objects in the AFRINIC whois database are protected by and authenticate through a mechanism that uses clear text passwords encrypted with the md5 algorithm for authentication. There are two major concerns with this method:
AFRINIC has enabled a filter in the whois database such that whois queries do not display those hashes again. This mitigates the potential for anyone to run a simple script or program that will crack these passwords, as they are no longer visible.
There are basically two scenarios to consider:
The process to create a new mntner object remains completely unchanged. However, once created, modifying and deleting an existing mntner requires the object owner to have access to the md5 and/or CRYPT hash that was used to create the mntner in the first place if the modifications involve other attributes.
It is therefore important that the hash be kept by the object owner for future retrieval when updating existing mntner objects. Below are examples of mntner objects, showing the previously unfiltered hash in the top object, and the new format at the bottom object, showing the hashes filtered.
Below are examples of mntner objects, showing the previously unfiltered hash in the top object, and the new format at the bottom object, showing the hashes filtered.
To modify an existing mntner:
a) Query the AFRINIC whois database for your object, add the hash to the result and send it to the server for updating, as follows:
whois –h whois.afrinic.net –r –B ISP1-MNT
b) If the e-mail returned by the server indicates that the update failed, there is a possibility that the hash was wrong (in which case a syntax error will appear in the bounce) or the clear text password was not correct (this will be shown as an authentication error)
c) In case you cannot retrieve your md5 hash (but know your plain text password that was used to generate the hash), it is possible to simply re-generate a new hash of the same password.
Please browse to the "Tools" section of our website, select the CRYPT/MD5 Password Tool, enter your plain text password and click "Generate".
The generated hash can be copied and pasted into your mntner object and submitted for update as usual.
d) If your password is lost (irrespective of availability of the md5 hash), it is not possible to update the object. You must contact AFRINIC for the standard lost mntner password process, by simply mailing email@example.com with a request for a new password. Please note that:
In addition to MD5, the AFRINIC whois database supports PGP for authenticating whois database updates. In contrast to MD5, PGP provides stronger encryption techniques and guarantees that the signed update message was not tampered with. It is works by using a pair of keys generated by the user. The public key is uploaded to the whois database inside a key-cert object, and the user's email updates are signed using the private key on the user's device.
Since most whois database updates are submitted by e-mail, the only way to guarantee security is by using PGP, which AFRINIC strongly recommends to our members and the community.
This is because with the MD5 method, updates submitted by email are authenticated by the user inserting a clear text password in the e-mail body. Despite using technologies like SSL and TLS, AFRINIC has no control over all the stages that an e-mail goes through before final delivery to our whois server.
The whois database supports use of multiple authorization mechanisms in one mntner object. If an object is protected with a mntner that contains multiple md5 passwords and PGP keys, any one of the correct passwords or PGP-signed emails will authenticate. The mntner object captured below contains two "auth" attributes for both md5 and PGP authentication mechanisms. Either of the attributes can be used to authorize updates.
descr: Maintainer Toto telecom
auth: MD5-PW $1$09nxAH88$ZaDWuXGdly2boQi69atbN.
Because some one can crack it using any computer or even smartphone. Hiding it provides a deterrent from crackers trying all sorts of things on your hash.
No. You must replace the "FILTERED" string in the auth attribute with the actual encrypted hash otherwise the update will fail.
If you remember the plain text password instead, please use our online md5 encrypted password generator. A different hash of the same password will be generated which can be used to update (but not delete) the object
By using our online encrypted password generator. Please note the hash will always be different, as it's generated based on a timestamp.
You can use PGP, which involves using a pair of keys. More information about using PGP with the AFRINIC whois database can be found here.
Please use the online md5 hash generator to create a hash of your new password, and submit that hash to firstname.lastname@example.org. You must be the authorized contact for your company.
Yes. All you need is to submit those assignments along with a clear text password to the whois database. You can even use MYAFRINIC for that.
Yes. All other objects as well as whois database update procedures remain unchanged. Only mntner objects are affected, in that you need to have that hash handy whenever you must edit your mntner (which is not very common).
Having generated your PGP key-pairs, export your public key into the whois database using a key-cert object. Then sign all your database updates using your private key. Please look here for more information.
Yes. Either of the authenticated mechanisms will work if specified in a given mntner object.
Please mail email@example.com for any assistance with the AFRINIC whois database or call +230 403 5104. You can also use Skype to call us for free on regular Skype user "skype2afrinic".