/

ipsec_showhostkey (8) Linux Manual Page

ByLinux Manual Posted on Updated on

ipsec_showhostkey – show host’s authentication key

Synopsis

ipsec showhostkey [–verbose] {–version | –list | –dump | –left | –right | –ipseckey}

[–ckaid ckaid | –rsaid rsaid]

[–gateway gateway] [–precedence precedence]

[–nssdir nssdir] [–password password]

Description

Showhostkey

outputs (on standard output) a public key suitable for this host, in the format specified, using the host key information stored in the NSS database.

In general, since only the super-user can access the NSS database, only the super-user can display the public key information.

Common Options

–version

Print the libreswan version, then exit.

–verbose

Increase the verbosity.

–nssdir nssdir

Specify the libreswan directory that contains the NSS database (default /etc/ipsec.d).

–password password

Specify the password to use when accessing the NSS database (default contained in /etc/ipsec.d/nsspassword).

List Options

–list

List the private keys.

–dump

List, with more details, the private keys.

Public Key Options

–ckaid ckaid

Select the public key to display using the NSS ckaid.

–rsaid rsaid

Select the public key to display using the RSA key ID.

–left, –right

Print the selected public key in ipsec.conf(5) format, as a leftrsasigkey or rightrsasigkey parameter respectively. For example, –left might give (with the key data trimmed down for clarity): 

leftrsasigkey=0sAQOF8tZ2...+buFuFn/

–ipseckey

Print the selected public key in a format suitable for use as opportunistic-encryption DNS IPSECKEY record format (RFC 4025). A gateway can be specified with the –gateway, which currently supports IPv4 and IPv6 addresses. For the host name, the value returned by gethostname is used, with a . appended.

For example, –ipseckey –gateway 10.11.12.13 might give (with the key data trimmed for clarity): 

IN IPSECKEY 10 1 2 10.11.12.13 AQOF8tZ2...+buFuFn/"

–gateway gateway

For –ipseckey, specify the gateway to display with the DNS IPSECKEY record.

–precedence precedence

For –ipseckey, specify the precedence to display with the DNS IPSECKEY record.

Diagnostics

A complaint about “no pubkey line found” indicates that the host has a key but it was generated with an old version of FreeS/WAN and does not contain the information that showhostkey needs.

Files

/etc/ipsec.d, /etc/ipsec.d/nsspassword

See Also

ipsec.conf(5), ipsec rsasigkey(8)ipsec newhostkey(8)

History

Written for the Linux FreeS/WAN project <m[blue]http://www.freeswan.orgm[]> by Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.

Bugs

Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should be smart enough to run the existing key through rsasigkey with the –oldkey option, to generate a suitable output line.

Author

Paul Wouters

placeholder to suppress warning

Leave a Reply

Your email address will not be published. Required fields are marked *