ipsec_showhostkey(8) [centos man page]

IPSEC_SHOWHOSTKEY(8)						Executable programs					      IPSEC_SHOWHOSTKEY(8)

NAME

       ipsec_showhostkey - show host's authentication key

SYNOPSIS

       ipsec showhostkey [--ipseckey] [--left] [--right] [--dump] [--verbose] [--version] [--list] [--gateway gateway] [--precedence precedence]
	     [--dhclient] [--file secretfile] [--keynum count] [--id identity]

DESCRIPTION

       Showhostkey outputs (on standard output) a public key suitable for this host, in the format specified, using the host key information
       stored in /etc/ipsec.secrets. In general only the super-user can run this command, since only he can read ipsec.secrets.

       The --left and --right options cause the output to be in ipsec.conf(5) format, as a leftrsasigkey or rightrsasigkey parameter respectively.
       Generation information is included if available. For example, --left might give (with the key data trimmed down for clarity):

	     # RSA 2048 bits   xy.example.com	Sat Apr 15 13:53:22 2000
	     leftrsasigkey=0sAQOF8tZ2...+buFuFn/

       The --ipseckey option causes the output to be in opportunistic-encryption DNS IPSECKEY record format (RFC 4025). A gateway can be specified
       with the --gateway, which currently supports IPv4 and IPv6 addresses. The host name is the one included in the key information (or, if that
       is not available, the output of hostname --fqdn), with a .  appended. For example, --ipseckey --gateway 10.11.12.13 might give (with the
       key data trimmed for clarity):

		 IN    IPSECKEY  10 1 2 10.11.12.13  AQOF8tZ2...+buFuFn/"

       The --version option causes the version of the binary to be emitted, and nothing else.

       The --verbose may be present one or more times. Each occurance increases the verbosity level.

       The --dhclient option cause the output to be suitable for inclusion in dhclient.conf(5) as part of configuring WAVEsec. See
       <http://www.wavesec.org>.

       Normally, the default key for this host (the one with no host identities specified for it) is the one extracted. The --id option overrides
       this, causing extraction of the key labeled with the specified identity, if any. The specified identity must exactly match the identity in
       the file; in particular, the comparison is case-sensitive.

       There may also be multiple keys with the same identity. All keys are numbered based upon their linear sequence in the file (including all
       include directives)

       The --file option overrides the default for where the key information should be found, and takes it from the specified secretfile.

DIAGNOSTICS

       A complaint about "no pubkey line found" indicates that the host has a key but it was generated with an old version of FreeS/WAN and does
       not contain the information that showhostkey needs.

FILES

       /etc/ipsec.secrets

SEE ALSO

       ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.

BUGS

       Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should be smart enough to run the existing key through
       rsasigkey with the --oldkey option, to generate a suitable output line.

       The --id option assumes that the identity appears on the same line as the : RSA { that begins the key proper.

AUTHOR

       Paul Wouters
	   placeholder to suppress warning

libreswan							    12/16/2012						      IPSEC_SHOWHOSTKEY(8)