1IPSEC_SHOWHOSTKEY(8)                                      IPSEC_SHOWHOSTKEY(8)
2
3
4

NAME

6       ipsec showhostkey - show host's authentication key
7

SYNOPSIS

9       ipsec showhostkey [--file secretfile] [--id identity]
10              --dhclient | --left | --right | --txt gateway |
11             --ipseckey <@fqdn|ip-addr> | --key | --help
12
13

DESCRIPTION

15       Showhostkey outputs (on standard output) a public key suitable for this
16       host, in the format specified, using the host key information stored in
17       /etc/ipsec.secrets. It generates records for Opportunistic Encryption -
18       various formats are supported.
19
20
21       In  general only the super-user can run this command, since only he can
22       read ipsec.secrets.
23
24
25       The --txt option causes the output to  be  in  opportunistic-encryption
26       DNS TXT record format, with the specified gateway value. If information
27       about how the key was generated is available, that  is  provided  as  a
28       DNS-file  comment.  For example, --txt 10.11.12.13 might give (with the
29       key data trimmed for clarity):
30
31
32         ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
33             IN TXT  "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"
34
35
36
37       No name is supplied in the TXT record because there are too many possi‐
38       bilities,  depending  on  how  it  will  be used. If the text string is
39       longer than 255 bytes, it is split up into multiple  strings  (matching
40       the restrictions of the DNS TXT binary format). If any split is needed,
41       the first split will be at the start of the  key:  this  increases  the
42       chances that later hand editing will work.
43
44
45       The  --left and --right options cause the output to be in ipsec.conf(5)
46       format, as a leftrsasigkey or  rightrsasigkey  parameter  respectively.
47       Again,  generation  information  is included if available. For example,
48       --left might give (with the key data trimmed down for clarity):
49
50
51         # RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
52         leftrsasigkey=0sAQOF8tZ2...+buFuFn/
53
54
55
56       The --dhclient option cause the output to be suitable for inclusion  in
57       dhclient.conf(5)     as    part    of    configuring    WAVEsec.    See
58       <http://www.wavesec.org: http://www.wavesec.org>.
59
60
61       If --ipseckey is specified, the output format is the text form of a DNS
62       IPSECKEY  record  as per RFC-4025. The host name is the one included in
63       the key information (or, if that is not available, the output of  host‐
64       name --fqdn), with a . appended.
65
66
67       If  --key is specified, the output format is the text form of a DNS KEY
68       record; the host name is the one included in the key  information  (or,
69       if  that is not available, the output of hostname --fqdn), with a . ap‐
70       pended. Again, generation information is included if available. For ex‐
71       ample (with the key data trimmed down for clarity):
72
73
74         ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
75         xy.example.com.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/
76
77
78
79       Note  that  the  KEY record has been restricted by RFC 3445 for DNS use
80       only. Instead, the IPSECKEY record should be used using the  --ipseckey
81       option.
82
83
84       Normally,  the  default key for this host (the one with no host identi‐
85       ties specified for it) is the one extracted. The --id option  overrides
86       this,  causing extraction of the key labeled with the specified identi‐
87       ty, if any. The specified identity must exactly match the  identity  in
88       the file; in particular, the comparison is case-sensitive.
89
90
91       The  --file  option overrides the default for where the key information
92       should be found, and takes it from the specified secretfile.
93
94

DIAGNOSTICS

96       A complaint about “no pubkey line found” indicates that the host has  a
97       key  but it was generated with an old version of FreeS/WAN and does not
98       contain the information that showhostkey needs.
99
100

FILES

102       /etc/ipsec.secrets
103
104

SEE ALSO

106       ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)
107
108

HISTORY

110       Written  for  the  Linux  FreeS/WAN  project  <http://www.freeswan.org:
111       http://www.freeswan.org> by Henry Spencer.
112
113

BUGS

115       Arguably,  rather than just reporting the no-IN-KEY-line-found problem,
116       showhostkey should be smart enough to  run  the  existing  key  through
117       rsasigkey with the --oldkey option, to generate a suitable output line.
118
119
120       The  need  to specify the gateway address (etc.) for --txt is annoying,
121       but there is no good way to determine it automatically.
122
123
124       There should be a way to specify the priority value  for  TXT  records;
125       currently it is hardwired to 10.
126
127
128       The  --id  option assumes that the identity appears on the same line as
129       the : RSA { that begins the key proper.
130
131
132
133
134                                                          IPSEC_SHOWHOSTKEY(8)
Impressum