Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ipsec_showhostkey(8) [centos man page]

IPSEC_SHOWHOSTKEY(8)						Executable programs					      IPSEC_SHOWHOSTKEY(8)

NAME

       ipsec_showhostkey - show host's authentication key

SYNOPSIS

       ipsec showhostkey [--ipseckey] [--left] [--right] [--dump] [--verbose] [--version] [--list] [--gateway gateway] [--precedence precedence]
	     [--dhclient] [--file secretfile] [--keynum count] [--id identity]

DESCRIPTION

       Showhostkey outputs (on standard output) a public key suitable for this host, in the format specified, using the host key information
       stored in /etc/ipsec.secrets. In general only the super-user can run this command, since only he can read ipsec.secrets.

       The --left and --right options cause the output to be in ipsec.conf(5) format, as a leftrsasigkey or rightrsasigkey parameter respectively.
       Generation information is included if available. For example, --left might give (with the key data trimmed down for clarity):

	     # RSA 2048 bits   xy.example.com	Sat Apr 15 13:53:22 2000
	     leftrsasigkey=0sAQOF8tZ2...+buFuFn/

       The --ipseckey option causes the output to be in opportunistic-encryption DNS IPSECKEY record format (RFC 4025). A gateway can be specified
       with the --gateway, which currently supports IPv4 and IPv6 addresses. The host name is the one included in the key information (or, if that
       is not available, the output of hostname --fqdn), with a .  appended. For example, --ipseckey --gateway 10.11.12.13 might give (with the
       key data trimmed for clarity):

		 IN    IPSECKEY  10 1 2 10.11.12.13  AQOF8tZ2...+buFuFn/"

       The --version option causes the version of the binary to be emitted, and nothing else.

       The --verbose may be present one or more times. Each occurance increases the verbosity level.

       The --dhclient option cause the output to be suitable for inclusion in dhclient.conf(5) as part of configuring WAVEsec. See
       <http://www.wavesec.org>.

       Normally, the default key for this host (the one with no host identities specified for it) is the one extracted. The --id option overrides
       this, causing extraction of the key labeled with the specified identity, if any. The specified identity must exactly match the identity in
       the file; in particular, the comparison is case-sensitive.

       There may also be multiple keys with the same identity. All keys are numbered based upon their linear sequence in the file (including all
       include directives)

       The --file option overrides the default for where the key information should be found, and takes it from the specified secretfile.

DIAGNOSTICS

       A complaint about "no pubkey line found" indicates that the host has a key but it was generated with an old version of FreeS/WAN and does
       not contain the information that showhostkey needs.

FILES

       /etc/ipsec.secrets

SEE ALSO

       ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.

BUGS

       Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should be smart enough to run the existing key through
       rsasigkey with the --oldkey option, to generate a suitable output line.

       The --id option assumes that the identity appears on the same line as the : RSA { that begins the key proper.

AUTHOR

       Paul Wouters
	   placeholder to suppress warning

libreswan							    12/16/2012						      IPSEC_SHOWHOSTKEY(8)

Check Out this Related Man Page

IPSEC_RANBITS(8)						  [FIXME: manual]						  IPSEC_RANBITS(8)

NAME

       ipsec_newhostkey - generate a new raw RSA authentication key for a host

SYNOPSIS

       ipsec newhostkey [[--configdiranssdbdir] | [--password password]] [[--quiet] | [--verbose]] [--bits bits] [--hostname hostname]
	     --output filename

DESCRIPTION

       newhostkey outputs (into filename, which can be '-' for standard output) an RSA private key suitable for this host, in /etc/ipsec.secrets
       format (see ipsec.secrets(5)) using the --quiet option per default.

       The --output option is mandatory. The specified filename is created under umask 077 if nonexistent; if it already exists and is non-empty,
       a warning message about that is sent to standard error, and the output is appended to the file.

       The --quiet option suppresses both the rsasigkey narrative and the existing-file warning message.

       When compiled with NSS support, --configdir specifies the nss configuration directory where the certificate key, and modsec databases
       reside. There is no default value, though /etc/ipsec.d might be sensible choice.

       When compiled with NSS support, --password specifies a module authentication password that may be required if FIPS mode is enabled

       The --bits option specifies the number of bits in the key; the current default is 2192 and we do not recommend use of anything shorter
       unless unusual constraints demand it.

       The --hostname option is passed through to rsasigkey to tell it what host name to label the output with (via its --hostname option).

       The output format is that of rsasigkey, with bracketing added to complete the ipsec.secrets format. In the usual case, where ipsec.secrets
       contains only the hostas own private key, the output of newhostkey is sufficient as a complete ipsec.secrets file.

FILES

       /dev/random, /dev/urandom

SEE ALSO

       ipsec_rsasigkey(8), ipsec.secrets(5)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer.

BUGS

       As with rsasigkey, the run time is difficult to predict, since depletion of the systemas randomness pool can cause arbitrarily long waits
       for random bits, and the prime-number searches can also take unpre dictable (and potentially large) amounts of CPU time. See
       ipsec_rsasigkey(8) for some typical performance numbers.

       A higher-level tool which could handle the clerical details of changing to a new key would be helpful.

       The requirement for --output is a blemish, but private keys are extremely sensitive information and unusual precautions seem justified.

[FIXME: source] 						    10/06/2010							  IPSEC_RANBITS(8)
Man Page