Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ipsec_newhostkey(8) [debian man page]

IPSEC_RANBITS(8)						  [FIXME: manual]						  IPSEC_RANBITS(8)

NAME

       ipsec_newhostkey - generate a new raw RSA authentication key for a host

SYNOPSIS

       ipsec newhostkey [[--configdiranssdbdir] | [--password password]] [[--quiet] | [--verbose]] [--bits bits] [--hostname hostname]
	     --output filename

DESCRIPTION

       newhostkey outputs (into filename, which can be '-' for standard output) an RSA private key suitable for this host, in /etc/ipsec.secrets
       format (see ipsec.secrets(5)) using the --quiet option per default.

       The --output option is mandatory. The specified filename is created under umask 077 if nonexistent; if it already exists and is non-empty,
       a warning message about that is sent to standard error, and the output is appended to the file.

       The --quiet option suppresses both the rsasigkey narrative and the existing-file warning message.

       When compiled with NSS support, --configdir specifies the nss configuration directory where the certificate key, and modsec databases
       reside. There is no default value, though /etc/ipsec.d might be sensible choice.

       When compiled with NSS support, --password specifies a module authentication password that may be required if FIPS mode is enabled

       The --bits option specifies the number of bits in the key; the current default is 2192 and we do not recommend use of anything shorter
       unless unusual constraints demand it.

       The --hostname option is passed through to rsasigkey to tell it what host name to label the output with (via its --hostname option).

       The output format is that of rsasigkey, with bracketing added to complete the ipsec.secrets format. In the usual case, where ipsec.secrets
       contains only the hostas own private key, the output of newhostkey is sufficient as a complete ipsec.secrets file.

FILES

       /dev/random, /dev/urandom

SEE ALSO

       ipsec_rsasigkey(8), ipsec.secrets(5)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer.

BUGS

       As with rsasigkey, the run time is difficult to predict, since depletion of the systemas randomness pool can cause arbitrarily long waits
       for random bits, and the prime-number searches can also take unpre dictable (and potentially large) amounts of CPU time. See
       ipsec_rsasigkey(8) for some typical performance numbers.

       A higher-level tool which could handle the clerical details of changing to a new key would be helpful.

       The requirement for --output is a blemish, but private keys are extremely sensitive information and unusual precautions seem justified.

[FIXME: source] 						    10/06/2010							  IPSEC_RANBITS(8)

Check Out this Related Man Page

IPSEC_BARF(8)							  [FIXME: manual]						     IPSEC_BARF(8)

NAME

       ipsec_barf - spew out collected IPsec debugging information

SYNOPSIS

       ipsec barf [--short --maxlines <100>]

DESCRIPTION

       Barf outputs (on standard output) a collection of debugging information (contents of files, selections from logs, etc.) related to the
       IPsec encryption/authentication system. It is primarily a convenience for remote debugging, a single command which packages up (and labels)
       all information that might be relevant to diagnosing a problem in IPsec.

       The --short option limits the length of the log portion of barf's output, which can otherwise be extremely voluminous if debug logging is
       turned on.

       --maxlines <100> option sets the length of some bits of information, currently netstat -rn. Useful on boxes where the routing table is
       thousands of lines long. Default is 100.

       Barf censors its output, replacing keys and secrets with brief checksums to avoid revealing sensitive information.

       Beware that the output of both commands is aimed at humans, not programs, and the output format is subject to change without warning.

       Barf has to figure out which files in /var/log contain the IPsec log messages. It looks for KLIPS and general log messages first in
       messages and syslog, and for Pluto messages first in secure, auth.log, and debug. In both cases, if it does not find what it is looking for
       in one of those "likely" places, it will resort to a brute-force search of most (non-compressed) files in /var/log.

FILES

	   /proc/net/*
	   /var/log/*
	   /etc/ipsec.conf
	   /etc/ipsec.secrets

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer.

BUGS

       Barf uses heuristics to try to pick relevant material out of the logs, and relevant messages which are not labelled with any of the tags
       that barf looks for will be lost. We think we've eliminated the last such case, but one never knows...

       Finding updown scripts (so they can be included in output) is, in general, difficult.  Barf uses a very simple heuristic that is easily
       fooled.

       The brute-force search for the right log files can get expensive on systems with a lot of clutter in /var/log.

[FIXME: source] 						   17 March 2002						     IPSEC_BARF(8)
Man Page