Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ipsec_ranbits(8) [debian man page]

IPSEC_RANBITS(8)						  [FIXME: manual]						  IPSEC_RANBITS(8)

NAME

       ipsec_ranbits - generate random bits in ASCII form

SYNOPSIS

       ipsec ranbits [--quick] [--continuous] [--bytes] nbits

DESCRIPTION

       Ranbits obtains nbits (rounded up to the nearest byte) high-quality random bits from random(4), and emits them on standard output as an
       ASCII string. The default output format is datatot(3) h format: lowercase hexadecimal with a 0x prefix and an underscore every 32 bits.

       The --quick option produces quick-and-dirty random bits: instead of using the high-quality random bits from /dev/random, which may take
       some time to supply the necessary bits if nbits is large, ranbits uses /dev/urandom, which yields prompt results but lower-quality
       randomness.

       The --continuous option uses datatot(3) x output format, like h but without the underscores.

       The --bytes option causes nbits to be interpreted as a byte count rather than a bit count.

FILES

       /dev/random, /dev/urandom

SEE ALSO

       ipsec_datatot(3), random(4)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer.

BUGS

       There is an internal limit on nbits, currently 20000.

       Without --quick, ranbits's run time is difficult to predict. A request for a large number of bits, at a time when the system's entropy pool
       is low on randomness, may take quite a while to satisfy.

       Though not a bug of ranbits, the direct use of /dev/hw_random, the Linux hardware random number generator is not supported because it can
       produce very non-random data. To properly use /dev/hw_random, the rngd daemon should be used to read from /dev/hw_random and write to
       /dev/random, while performing a FIPS test on the hardware random read. No changes to Openswan are required for this support - just a
       running rngd.

[FIXME: source] 						    10/06/2010							  IPSEC_RANBITS(8)

Check Out this Related Man Page

IPSEC_RANBITS(8)						Executable programs						  IPSEC_RANBITS(8)

NAME

       ipsec_newhostkey - generate a new raw RSA authentication key for a host

SYNOPSIS

       ipsec newhostkey [[--configdirnssdbdir] | [--password password]] [[--quiet] | [--verbose]] [--bits bits] [--random device]
	     [--hostname hostname] [--output filename]

DESCRIPTION

       newhostkey outputs (into filename, which can be '-' for standard output) an RSA private key suitable for this host, in /etc/ipsec.secrets
       format (see ipsec.secrets(5)) using the --quiet option per default.

       The --output option is mandatory. The specified filename is created under umask 077 if nonexistent; if it already exists and is non-empty,
       a warning message about that is sent to standard error, and the output is appended to the file.

       The --quiet option suppresses both the rsasigkey narrative and the existing-file warning message.

       When compiled with NSS support (the default), --configdir specifies the nss configuration directory where the certificate key, and modsec
       databases reside. There is no default value, though /etc/ipsec.d might be sensible choice.

       When compiled with NSS support (the default), --password specifies a module authentication password that may be required if FIPS mode is
       enabled

       The --bits option specifies the number of bits in the RSA key; the current default is a random (multiple of 16) value between 3072 and
       4096. The minimum allowed is 2172.

       The --random is used to specify the random device (default /dev/random used to seed the crypto library RNG.

       The --hostname option is passed through to rsasigkey to tell it what host name to label the output with (via its --hostname option).

       The output format is that of rsasigkey, with bracketing added to complete the ipsec.secrets format. In the usual case, where ipsec.secrets
       contains only the hostas own private key, the output of newhostkey is sufficient as a complete ipsec.secrets file.

FILES

       /dev/random, /dev/urandom

SEE ALSO

       ipsec_rsasigkey(8), ipsec.secrets(5)

HISTORY

       Originally written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters

BUGS

       As with rsasigkey, the run time is difficult to predict, since depletion of the systemas randomness pool can cause arbitrarily long waits
       for random bits, and the prime-number searches can also take unpre dictable (and potentially large) amounts of CPU time. See
       ipsec_rsasigkey(8) .

       A higher-level tool which could handle the clerical details of changing to a new key would be helpful.

AUTHOR

       Paul Wouters
	   placeholder to suppress warning

libreswan							    09/06/2013							  IPSEC_RANBITS(8)
Man Page