1IPSEC_SHOWHOSTKEY(8) Executable programs IPSEC_SHOWHOSTKEY(8)
2
6 ipsec_showhostkey - show host´s authentication key
7
9 ipsec showhostkey [--ipseckey] [--left] [--right] [--dump] [--verbose]
10 [--version] [--list] [--gateway gateway]
11 [--precedence precedence] [--dhclient] [--file secretfile]
12 [--keynum count] [--id identity]
13
15 Showhostkey outputs (on standard output) a public key suitable for this
16 host, in the format specified, using the host key information stored in
17 /etc/ipsec.secrets. In general only the super-user can run this
18 command, since only he can read ipsec.secrets.
19 The --left and --right options cause the output to be in ipsec.conf(5)
21 format, as a leftrsasigkey or rightrsasigkey parameter respectively.
22 Generation information is included if available. For example, --left
23 might give (with the key data trimmed down for clarity):
24 # RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000
26 leftrsasigkey=0sAQOF8tZ2...+buFuFn/
27 The --ipseckey option causes the output to be in
29 opportunistic-encryption DNS IPSECKEY record format (RFC 4025). A
30 gateway can be specified with the --gateway, which currently supports
31 IPv4 and IPv6 addresses. The host name is the one included in the key
32 information (or, if that is not available, the output of
33 hostname --fqdn), with a . appended. For example, --ipseckey --gateway
34 10.11.12.13 might give (with the key data trimmed for clarity):
35 IN IPSECKEY 10 1 2 10.11.12.13 AQOF8tZ2...+buFuFn/"
37 The --version option causes the version of the binary to be emitted,
39 and nothing else.
40 The --verbose may be present one or more times. Each occurance
42 increases the verbosity level.
43 The --dhclient option cause the output to be suitable for inclusion in
45 dhclient.conf(5) as part of configuring WAVEsec. See
46 <http://www.wavesec.org>.
47 Normally, the default key for this host (the one with no host
49 identities specified for it) is the one extracted. The --id option
50 overrides this, causing extraction of the key labeled with the
51 specified identity, if any. The specified identity must exactly match
52 the identity in the file; in particular, the comparison is
53 case-sensitive.
54 There may also be multiple keys with the same identity. All keys are
56 numbered based upon their linear sequence in the file (including all
57 include directives)
58 The --file option overrides the default for where the key information
60 should be found, and takes it from the specified secretfile.
61
63 A complaint about “no pubkey line found” indicates that the host has a
64 key but it was generated with an old version of FreeS/WAN and does not
65 contain the information that showhostkey needs.
66
68 /etc/ipsec.secrets
69
71 ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)
72
74 Written for the Linux FreeS/WAN project <http://www.freeswan.org> by
75 Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.
76
78 Arguably, rather than just reporting the no-IN-KEY-line-found problem,
79 showhostkey should be smart enough to run the existing key through
80 rsasigkey with the --oldkey option, to generate a suitable output line.
81 The --id option assumes that the identity appears on the same line as
83 the : RSA { that begins the key proper.
84
86 Paul Wouters
87 placeholder to suppress warning
88libreswan 10/04/2017 IPSEC_SHOWHOSTKEY(8)