ipsec_showhostkey(8)

1IPSEC_SHOWHOSTKEY(8)          Executable programs         IPSEC_SHOWHOSTKEY(8)
2
3
4

NAME

6       ipsec_showhostkey - show host's authentication key
7

SYNOPSIS

9       ipsec showhostkey [--verbose]
10             {--version | --list | --dump | --left | --right | --ipseckey | --pem}
11             [--ckaid ckaid | --rsaid rsaid]
12             [--gateway gateway] [--precedence precedence]
13             [--nssdir nssdir] [--password password]
14

DESCRIPTION

16       Showhostkey outputs (on standard output) a public key suitable for this
17       host, in the format specified, using the host key information stored in
18       the NSS database.
19
20       In general, since only the super-user can access the NSS database, only
21       the super-user can display the public key information.
22
23   Common Options
24       --version
25           Print the libreswan version, then exit.
26
27       --verbose
28           Increase the verbosity.
29
30       --nssdir nssdir
31           Specify the libreswan directory that contains the NSS database
32           (default /var/lib/ipsec/nss).
33
34       --password password
35           Specify the password to use when accessing the NSS database
36           (default contained in /etc/ipsec.d/nsspassword).
37
38   List Options
39       --list
40           List the private keys.
41
42       --dump
43           List, with more details, the private keys.
44
45   Public Key Options
46       --ckaid ckaid
47           Select the public key to display using the NSS ckaid.
48
49       --rsaid rsaid
50           Select the public key to display using the RSA key ID.
51
52       --pem
53           Print the selected public key in PEM encoded ASN.1 format.
54
55       --left, --right
56           Print the selected public key in ipsec.conf(5) format, as a
57           leftrsasigkey or rightrsasigkey parameter respectively. For
58           example, --left might give (with the key data trimmed down for
59           clarity):
60
61               leftrsasigkey=0sAQOF8tZ2...+buFuFn/
62
63
64       --ipseckey
65           Print the selected public key in a format suitable for use as
66           opportunistic-encryption DNS IPSECKEY record format (RFC 4025). A
67           gateway can be specified with the --gateway, which currently
68           supports IPv4 and IPv6 addresses. For the host name, the value
69           returned by gethostname is used, with a .  appended.
70
71           For example, --ipseckey --gateway 10.11.12.13 might give (with the
72           key data trimmed for clarity):
73
74               IN    IPSECKEY  10 1 2 10.11.12.13  AQOF8tZ2...+buFuFn/"
75
76
77       --gateway gateway
78           For --ipseckey, specify the gateway to display with the DNS
79           IPSECKEY record.
80
81       --precedence precedence
82           For --ipseckey, specify the precedence to display with the DNS
83           IPSECKEY record.
84

DIAGNOSTICS

86       A complaint about “no pubkey line found” indicates that the host has a
87       key but it was generated with an old version of FreeS/WAN and does not
88       contain the information that showhostkey needs.
89

FILES

91       /var/lib/ipsec/nss, /etc/ipsec.d/nsspassword
92

HISTORY

97       Written for the Linux FreeS/WAN project <https://www.freeswan.org> by
98       Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.
99

BUGS

101       Arguably, rather than just reporting the no-IN-KEY-line-found problem,
102       showhostkey should be smart enough to run the existing key through
103       rsasigkey with the --oldkey option, to generate a suitable output line.
104

AUTHOR

106       Paul Wouters
107           placeholder to suppress warning
108
109
110
111libreswan                         09/08/2023              IPSEC_SHOWHOSTKEY(8)