1IPSEC_SHOWHOSTKEY(8)          Executable programs         IPSEC_SHOWHOSTKEY(8)
2
3
4

NAME

6       ipsec_showhostkey - show host's authentication key
7

SYNOPSIS

9       ipsec showhostkey [--verbose]
10             {--version | --list | --dump | --left | --right | --ipseckey}
11             [--ckaid ckaid | --rsaid rsaid]
12             [--gateway gateway] [--precedence precedence]
13             [--nssdir nssdir] [--password password]
14

DESCRIPTION

16       Showhostkey outputs (on standard output) a public key suitable for this
17       host, in the format specified, using the host key information stored in
18       the NSS database.
19
20       In general, since only the super-user can access the NSS database, only
21       the super-user can display the public key information.
22
23   Common Options
24       --version
25           Print the libreswan version, then exit.
26
27       --verbose
28           Increase the verbosity.
29
30       --nssdir nssdir
31           Specify the libreswan directory that contains the NSS database
32           (default /var/lib/ipsec/nss).
33
34       --password password
35           Specify the password to use when accessing the NSS database
36           (default contained in /etc/ipsec.d/nsspassword).
37
38   List Options
39       --list
40           List the private keys.
41
42       --dump
43           List, with more details, the private keys.
44
45   Public Key Options
46       --ckaid ckaid
47           Select the public key to display using the NSS ckaid.
48
49       --rsaid rsaid
50           Select the public key to display using the RSA key ID.
51
52       --left, --right
53           Print the selected public key in ipsec.conf(5) format, as a
54           leftrsasigkey or rightrsasigkey parameter respectively. For
55           example, --left might give (with the key data trimmed down for
56           clarity):
57
58               leftrsasigkey=0sAQOF8tZ2...+buFuFn/
59
60
61       --ipseckey
62           Print the selected public key in a format suitable for use as
63           opportunistic-encryption DNS IPSECKEY record format (RFC 4025). A
64           gateway can be specified with the --gateway, which currently
65           supports IPv4 and IPv6 addresses. For the host name, the value
66           returned by gethostname is used, with a .  appended.
67
68           For example, --ipseckey --gateway 10.11.12.13 might give (with the
69           key data trimmed for clarity):
70
71               IN    IPSECKEY  10 1 2 10.11.12.13  AQOF8tZ2...+buFuFn/"
72
73
74       --gateway gateway
75           For --ipseckey, specify the gateway to display with the DNS
76           IPSECKEY record.
77
78       --precedence precedence
79           For --ipseckey, specify the precedence to display with the DNS
80           IPSECKEY record.
81

DIAGNOSTICS

83       A complaint about “no pubkey line found” indicates that the host has a
84       key but it was generated with an old version of FreeS/WAN and does not
85       contain the information that showhostkey needs.
86

FILES

88       /var/lib/ipsec/nss, /etc/ipsec.d/nsspassword
89

SEE ALSO

91       ipsec.conf(5), ipsec rsasigkey(8) ipsec newhostkey(8)
92

HISTORY

94       Written for the Linux FreeS/WAN project <https://www.freeswan.org> by
95       Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.
96

BUGS

98       Arguably, rather than just reporting the no-IN-KEY-line-found problem,
99       showhostkey should be smart enough to run the existing key through
100       rsasigkey with the --oldkey option, to generate a suitable output line.
101

AUTHOR

103       Paul Wouters
104           placeholder to suppress warning
105
106
107
108libreswan                         08/26/2021              IPSEC_SHOWHOSTKEY(8)
Impressum