Updating maintainer objects with filtered auth lines
I just had a very specific experience but this is a general problem. What I wanted to do was update a maintainer object in the database. No problems since I was authorized via a PGP key. The problem was that one of the lines looked like: auth: MD5-PW # Filtered And although I have no personal use for the md5 hash I did not want to disturb users who might have. I asked the NCC for advice and the answers were like "if you have an access account" (yes) you can add a line "auth: SSO xxxx@xxxx.xx" (yes). Still not a solution to my problem since adding the SSO line would just break the md5 anyway. The solution this time was that I eventually found a local copy of the object with the md5 hash unfiltered. I know the md5 hashes are a security problem and I do not recommend anyone using them but as long as they are there the filtering causes trouble. And by the way, we now see a lot of auth: SSO # Filtered What I am looking for is a way to retrieve the whole unfiltered object for anyone authorized, or, at least, a possibility to updated the object without touching the filtered lines. Maybe you could send a PGP signed request, not for updating but just for viewing the complete object? Best Regards, Daniel Stolpe _________________________________________________________________________________ Daniel Stolpe Tel: 08 - 688 11 81 stolpe@resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 45 094 556741-1193 104 30 Stockholm
Hi Daniel, if you know the password or authenticate with the SSO, you can find the full object in webupdates: https://apps.db.ripe.net/webupdates/enter-password.html cheers, elvis On 20/08/15 14:43, Daniel Stolpe wrote:
I just had a very specific experience but this is a general problem.
What I wanted to do was update a maintainer object in the database. No problems since I was authorized via a PGP key. The problem was that one of the lines looked like:
auth: MD5-PW # Filtered
And although I have no personal use for the md5 hash I did not want to disturb users who might have. I asked the NCC for advice and the answers were like "if you have an access account" (yes) you can add a line "auth: SSO xxxx@xxxx.xx" (yes). Still not a solution to my problem since adding the SSO line would just break the md5 anyway.
The solution this time was that I eventually found a local copy of the object with the md5 hash unfiltered.
I know the md5 hashes are a security problem and I do not recommend anyone using them but as long as they are there the filtering causes trouble. And by the way, we now see a lot of
auth: SSO # Filtered
What I am looking for is a way to retrieve the whole unfiltered object for anyone authorized, or, at least, a possibility to updated the object without touching the filtered lines.
Maybe you could send a PGP signed request, not for updating but just for viewing the complete object?
Best Regards,
Daniel Stolpe
_________________________________________________________________________________
Daniel Stolpe Tel: 08 - 688 11 81 stolpe@resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 45 094 556741-1193 104 30 Stockholm
Hi Elvis, Yes I know. But in this case I did not know the password. Maybe that is an anomaly but we see it now and then, usually when there are more than one party "sharing" a maintainer. One could argue that if you hire external people to maintain your RIPE data you should add their maintainer but that means a whole lot of updating. It is much easier to add an extra auth line to the current maintainer. Cheers, Daniel On Thu, 20 Aug 2015, Elvis Daniel Velea wrote:
Hi Daniel,
if you know the password or authenticate with the SSO, you can find the full object in webupdates: https://apps.db.ripe.net/webupdates/enter-password.html
cheers, elvis
On 20/08/15 14:43, Daniel Stolpe wrote:
I just had a very specific experience but this is a general problem.
What I wanted to do was update a maintainer object in the database. No problems since I was authorized via a PGP key. The problem was that one of the lines looked like:
auth: MD5-PW # Filtered
And although I have no personal use for the md5 hash I did not want to disturb users who might have. I asked the NCC for advice and the answers were like "if you have an access account" (yes) you can add a line "auth: SSO xxxx@xxxx.xx" (yes). Still not a solution to my problem since adding the SSO line would just break the md5 anyway.
The solution this time was that I eventually found a local copy of the object with the md5 hash unfiltered.
I know the md5 hashes are a security problem and I do not recommend anyone using them but as long as they are there the filtering causes trouble. And by the way, we now see a lot of
auth: SSO # Filtered
What I am looking for is a way to retrieve the whole unfiltered object for anyone authorized, or, at least, a possibility to updated the object without touching the filtered lines.
Maybe you could send a PGP signed request, not for updating but just for viewing the complete object?
Best Regards,
Daniel Stolpe
_________________________________________________________________________________ Daniel Stolpe Tel: 08 - 688 11 81 stolpe@resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 45 094 556741-1193 104 30 Stockholm
On Thu, Aug 20, 2015 at 01:43:01PM +0200, Daniel Stolpe wrote:
Maybe you could send a PGP signed request, not for updating but just for viewing the complete object?
Side note: Or PGP signed kind-of-diff? Piotr -- gucio -> Piotr Strzyżewski E-mail: Piotr.Strzyzewski@polsl.pl
On Thu, 20 Aug 2015, Piotr Strzyzewski wrote:
On Thu, Aug 20, 2015 at 01:43:01PM +0200, Daniel Stolpe wrote:
Maybe you could send a PGP signed request, not for updating but just for viewing the complete object?
Side note: Or PGP signed kind-of-diff?
Yeah. I am very open for suggestions. :-) Cheers, Daniel _________________________________________________________________________________ Daniel Stolpe Tel: 08 - 688 11 81 stolpe@resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 45 094 556741-1193 104 30 Stockholm
Hi, On Thu, Aug 20, 2015 at 01:43:01PM +0200, Daniel Stolpe wrote:
What I am looking for is a way to retrieve the whole unfiltered object for anyone authorized, or, at least, a possibility to updated the object without touching the filtered lines.
Yes, that would be useful. I can see that from a pure database religion p.o.v. this would be "a hack", but from a *user* perspective, it would certainly be a win :-)
Maybe you could send a PGP signed request, not for updating but just for viewing the complete object?
This would work for me... ("send the full object encrypted with *this* key to me" - after all, you already proved possession of the key in question) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Hi Daniel Maybe I can bounce this back at you in the form of another question...who does this password belong to that you don't want to disturb? It sounds like you don't know who has access to this data. This has been one of the issues with the MNTNER object since it's inception. It is a bucket full of anonymous security tokens. Personalised auth won't help much with this until all auth is moved into PERSON objects. cheers denis On 20/08/2015 13:43, Daniel Stolpe wrote:
I just had a very specific experience but this is a general problem.
What I wanted to do was update a maintainer object in the database. No problems since I was authorized via a PGP key. The problem was that one of the lines looked like:
auth: MD5-PW # Filtered
And although I have no personal use for the md5 hash I did not want to disturb users who might have. I asked the NCC for advice and the answers were like "if you have an access account" (yes) you can add a line "auth: SSO xxxx@xxxx.xx" (yes). Still not a solution to my problem since adding the SSO line would just break the md5 anyway.
The solution this time was that I eventually found a local copy of the object with the md5 hash unfiltered.
I know the md5 hashes are a security problem and I do not recommend anyone using them but as long as they are there the filtering causes trouble. And by the way, we now see a lot of
auth: SSO # Filtered
What I am looking for is a way to retrieve the whole unfiltered object for anyone authorized, or, at least, a possibility to updated the object without touching the filtered lines.
Maybe you could send a PGP signed request, not for updating but just for viewing the complete object?
Best Regards,
Daniel Stolpe
_________________________________________________________________________________
Daniel Stolpe Tel: 08 - 688 11 81 stolpe@resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 45 094 556741-1193 104 30 Stockholm
Hi Denis, I know it might sound odd but I do know perfectly well who this password belongs to. The typical case when this happens is when an organization has an LIR, they have no idea what it is all about and the only auth is a password. Then they find that there are other organizations out there able to help them. They hire one of these to do registry stuff for them, and then they are told to add a couple of PGP keys into the mnt object. As stated somewhere earlier you could of course go for adding another "mnt-by" everywhere, but that means a lot of updating, compared to just adding a few more auth lines into the current mnt object. Cheers, Daniel On Fri, 21 Aug 2015, denis wrote:
Hi Daniel
Maybe I can bounce this back at you in the form of another question...who does this password belong to that you don't want to disturb? It sounds like you don't know who has access to this data.
This has been one of the issues with the MNTNER object since it's inception. It is a bucket full of anonymous security tokens. Personalised auth won't help much with this until all auth is moved into PERSON objects.
cheers denis
On 20/08/2015 13:43, Daniel Stolpe wrote:
I just had a very specific experience but this is a general problem.
What I wanted to do was update a maintainer object in the database. No problems since I was authorized via a PGP key. The problem was that one of the lines looked like:
auth: MD5-PW # Filtered
And although I have no personal use for the md5 hash I did not want to disturb users who might have. I asked the NCC for advice and the answers were like "if you have an access account" (yes) you can add a line "auth: SSO xxxx@xxxx.xx" (yes). Still not a solution to my problem since adding the SSO line would just break the md5 anyway.
The solution this time was that I eventually found a local copy of the object with the md5 hash unfiltered.
I know the md5 hashes are a security problem and I do not recommend anyone using them but as long as they are there the filtering causes trouble. And by the way, we now see a lot of
auth: SSO # Filtered
What I am looking for is a way to retrieve the whole unfiltered object for anyone authorized, or, at least, a possibility to updated the object without touching the filtered lines.
Maybe you could send a PGP signed request, not for updating but just for viewing the complete object?
Best Regards,
Daniel Stolpe
_________________________________________________________________________________
Daniel Stolpe Tel: 08 - 688 11 81 stolpe@resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 45 094 556741-1193 104 30 Stockholm
_________________________________________________________________________________ Daniel Stolpe Tel: 08 - 688 11 81 stolpe@resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 45 094 556741-1193 104 30 Stockholm
Maybe I can bounce this back at you in the form of another question...who does this password belong to that you don't want to disturb? It sounds like you don't know who has access to this data. Shared mntner objects: we had the same issue (and no good solution) with
On Aug 21, denis <ripedenis@yahoo.co.uk> wrote: the ones used to protect the 6to4 and Teredo objects. But I recently experienced this also with a company mntner: I do not know and I am not supposed to know the password used by my colleagues, but I also did not have around a local copy of the object (which looks like a bad idea to me, since it could easily get out of sync with the one in the database). A simple (at least for the end users...) solution would be to allow retrieving the unfiltered objects with a PGP-authenticated emails. -- ciao, Marco
On Fri, 21 Aug 2015, Marco d'Itri wrote:
On Aug 21, denis <ripedenis@yahoo.co.uk> wrote:
Maybe I can bounce this back at you in the form of another question...who does this password belong to that you don't want to disturb? It sounds like you don't know who has access to this data. Shared mntner objects: we had the same issue (and no good solution) with the ones used to protect the 6to4 and Teredo objects.
But I recently experienced this also with a company mntner: I do not know and I am not supposed to know the password used by my colleagues, but I also did not have around a local copy of the object (which looks like a bad idea to me, since it could easily get out of sync with the one in the database).
A simple (at least for the end users...) solution would be to allow retrieving the unfiltered objects with a PGP-authenticated emails.
I totally agree. Cheers, Daniel _________________________________________________________________________________ Daniel Stolpe Tel: 08 - 688 11 81 stolpe@resilans.se Resilans AB Fax: 08 - 55 00 21 63 http://www.resilans.se/ Box 45 094 556741-1193 104 30 Stockholm
participants (6)
-
Daniel Stolpe
-
denis
-
Elvis Daniel Velea
-
Gert Doering
-
md@Linux.IT
-
Piotr Strzyzewski