1IPSEC_SHOWHOSTKEY(8)            [FIXME: manual]           IPSEC_SHOWHOSTKEY(8)
2
3
4

NAME

6       ipsec_showhostkey - show host´s authentication key
7

SYNOPSIS

9       ipsec showhostkey [--ipseckey [gateway]] [--left] [--right] [--dump]
10             [--verbose] [--version] [--list] [--x509self] [--x509req]
11             [--x509cert] [--txt gateway] [--dhclient] [--file secretfile]
12             [--keynum count] [--id identity]
13

DESCRIPTION

15       Showhostkey outputs (on standard output) a public key suitable for this
16       host, in the format specified, using the host key information stored in
17       /etc/ipsec.secrets. In general only the super-user can run this
18       command, since only he can read ipsec.secrets.
19
20       The --txt option causes the output to be in opportunistic-encryption
21       DNS TXT record format, with the specified gateway value. If information
22       about how the key was generated is available, that is provided as a
23       DNS-file comment. For example, --txt 10.11.12.13 might give (with the
24       key data trimmed for clarity):
25
26             ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
27                 IN TXT  "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"
28
29       No name is supplied in the TXT record because there are too many
30       possibilities, depending on how it will be used. If the text string is
31       longer than 255 bytes, it is split up into multiple strings (matching
32       the restrictions of the DNS TXT binary format). If any split is needed,
33       the first split will be at the start of the key: this increases the
34       chances that later hand editing will work.
35
36       The --version option causes the version of the binary to be emitted,
37       and nothing else.
38
39       The --verbose may be present one or more times. Each occurance
40       increases the verbosity level.
41
42       The --left and --right options cause the output to be in ipsec.conf(5)
43       format, as a leftrsasigkey or rightrsasigkey parameter respectively.
44       Again, generation information is included if available. For example,
45       --left might give (with the key data trimmed down for clarity):
46
47             # RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
48             leftrsasigkey=0sAQOF8tZ2...+buFuFn/
49
50       The --dhclient option cause the output to be suitable for inclusion in
51       dhclient.conf(5) as part of configuring WAVEsec. See
52       <http://www.wavesec.org>.
53
54       If --ipseckey is specified, the output format is the text form of a DNS
55       IPSECKEY record (see RFC4025); the host name is the one included in the
56       key information (or, if that is not available, the output of
57       hostname --fqdn), with a .  appended. The gateway information, if
58       provided, is is included, otherwise, the gateway is assumed to be self,
59       and to be of type FQDN. Generation information is included if
60       available. For example (with the key data trimmed down for clarity):
61
62             ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
63             xy.example.com.   IN   IPSECKEYKEY   floyd albert
64
65             ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
66             xy.example.com.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/
67
68       Normally, the default key for this host (the one with no host
69       identities specified for it) is the one extracted. The --id option
70       overrides this, causing extraction of the key labeled with the
71       specified identity, if any. The specified identity must exactly match
72       the identity in the file; in particular, the comparison is
73       case-sensitive.
74
75       There may also be multiple keys with the same identity. All keys are
76       numbered based upon their linear sequence in the file (including all
77       include directives)
78
79       The --file option overrides the default for where the key information
80       should be found, and takes it from the specified secretfile.
81

DIAGNOSTICS

83       A complaint about “no pubkey line found” indicates that the host has a
84       key but it was generated with an old version of FreeS/WAN and does not
85       contain the information that showhostkey needs.
86

FILES

88       /etc/ipsec.secrets
89

SEE ALSO

91       ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)
92

HISTORY

94       Written for the Linux FreeS/WAN project <http://www.freeswan.org> by
95       Henry Spencer.
96

BUGS

98       Arguably, rather than just reporting the no-IN-KEY-line-found problem,
99       showhostkey should be smart enough to run the existing key through
100       rsasigkey with the --oldkey option, to generate a suitable output line.
101
102       The need to specify the gateway address (etc.) for --txt is annoying,
103       but there is no good way to determine it automatically.
104
105       There should be a way to specify the priority value for TXT records;
106       currently it is hardwired to 10.
107
108       The --id option assumes that the identity appears on the same line as
109       the : RSA { that begins the key proper.
110
111
112
113[FIXME: source]                   10/06/2010              IPSEC_SHOWHOSTKEY(8)
Impressum