1IPSEC_SHOWHOSTKEY(8) IPSEC_SHOWHOSTKEY(8)
2
3
4
6 ipsec showhostkey - show host's authentication key
7
9 ipsec showhostkey [--file secretfile] [--id identity]
10 --dhclient | --left | --right | --txt gateway |
11 --ipseckey <@fqdn|ip-addr> | --key | --help
12
13
15 Showhostkey outputs (on standard output) a public key suitable for this
16 host, in the format specified, using the host key information stored in
17 /etc/ipsec.secrets. It generates records for Opportunistic Encryption -
18 various formats are supported.
19
20
21 In general only the super-user can run this command, since only he can
22 read ipsec.secrets.
23
24
25 The --txt option causes the output to be in opportunistic-encryption
26 DNS TXT record format, with the specified gateway value. If information
27 about how the key was generated is available, that is provided as a
28 DNS-file comment. For example, --txt 10.11.12.13 might give (with the
29 key data trimmed for clarity):
30
31
32 ; RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000
33 IN TXT "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"
34
35
36
37 No name is supplied in the TXT record because there are too many possi‐
38 bilities, depending on how it will be used. If the text string is
39 longer than 255 bytes, it is split up into multiple strings (matching
40 the restrictions of the DNS TXT binary format). If any split is needed,
41 the first split will be at the start of the key: this increases the
42 chances that later hand editing will work.
43
44
45 The --left and --right options cause the output to be in ipsec.conf(5)
46 format, as a leftrsasigkey or rightrsasigkey parameter respectively.
47 Again, generation information is included if available. For example,
48 --left might give (with the key data trimmed down for clarity):
49
50
51 # RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000
52 leftrsasigkey=0sAQOF8tZ2...+buFuFn/
53
54
55
56 The --dhclient option cause the output to be suitable for inclusion in
57 dhclient.conf(5) as part of configuring WAVEsec. See
58 <http://www.wavesec.org: http://www.wavesec.org>.
59
60
61 If --ipseckey is specified, the output format is the text form of a DNS
62 IPSECKEY record as per RFC-4025. The host name is the one included in
63 the key information (or, if that is not available, the output of host‐
64 name --fqdn), with a . appended.
65
66
67 If --key is specified, the output format is the text form of a DNS KEY
68 record; the host name is the one included in the key information (or,
69 if that is not available, the output of hostname --fqdn), with a . ap‐
70 pended. Again, generation information is included if available. For ex‐
71 ample (with the key data trimmed down for clarity):
72
73
74 ; RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000
75 xy.example.com. IN KEY 0x4200 4 1 AQOF8tZ2...+buFuFn/
76
77
78
79 Note that the KEY record has been restricted by RFC 3445 for DNS use
80 only. Instead, the IPSECKEY record should be used using the --ipseckey
81 option.
82
83
84 Normally, the default key for this host (the one with no host identi‐
85 ties specified for it) is the one extracted. The --id option overrides
86 this, causing extraction of the key labeled with the specified identi‐
87 ty, if any. The specified identity must exactly match the identity in
88 the file; in particular, the comparison is case-sensitive.
89
90
91 The --file option overrides the default for where the key information
92 should be found, and takes it from the specified secretfile.
93
94
96 A complaint about “no pubkey line found” indicates that the host has a
97 key but it was generated with an old version of FreeS/WAN and does not
98 contain the information that showhostkey needs.
99
100
102 /etc/ipsec.secrets
103
104
106 ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)
107
108
110 Written for the Linux FreeS/WAN project <http://www.freeswan.org:
111 http://www.freeswan.org> by Henry Spencer.
112
113
115 Arguably, rather than just reporting the no-IN-KEY-line-found problem,
116 showhostkey should be smart enough to run the existing key through
117 rsasigkey with the --oldkey option, to generate a suitable output line.
118
119
120 The need to specify the gateway address (etc.) for --txt is annoying,
121 but there is no good way to determine it automatically.
122
123
124 There should be a way to specify the priority value for TXT records;
125 currently it is hardwired to 10.
126
127
128 The --id option assumes that the identity appears on the same line as
129 the : RSA { that begins the key proper.
130
131
132
133
134 IPSEC_SHOWHOSTKEY(8)