IPSEC_SHOWHOSTKEY(8) Executable programs IPSEC_SHOWHOSTKEY(8)NAMEipsec_showhostkey - show host's authentication key
SYNOPSIS
ipsec showhostkey [--ipseckey] [--left] [--right] [--dump] [--verbose]
[--version] [--list] [--gateway gateway]
[--precedence precedence] [--dhclient] [--file secretfile]
[--keynum count] [--id identity]
DESCRIPTION
Showhostkey outputs (on standard output) a public key suitable for this
host, in the format specified, using the host key information stored in
/etc/ipsec.secrets. In general only the super-user can run this
command, since only he can read ipsec.secrets.
The --left and --right options cause the output to be in ipsec.conf(5)
format, as a leftrsasigkey or rightrsasigkey parameter respectively.
Generation information is included if available. For example, --left
might give (with the key data trimmed down for clarity):
# RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000
leftrsasigkey=0sAQOF8tZ2...+buFuFn/
The --ipseckey option causes the output to be in
opportunistic-encryption DNS IPSECKEY record format (RFC 4025). A
gateway can be specified with the --gateway, which currently supports
IPv4 and IPv6 addresses. The host name is the one included in the key
information (or, if that is not available, the output of
hostname --fqdn), with a . appended. For example, --ipseckey --gateway
10.11.12.13 might give (with the key data trimmed for clarity):
IN IPSECKEY 10 1 2 10.11.12.13 AQOF8tZ2...+buFuFn/"
The --version option causes the version of the binary to be emitted,
and nothing else.
The --verbose may be present one or more times. Each occurance
increases the verbosity level.
The --dhclient option cause the output to be suitable for inclusion in
dhclient.conf(5) as part of configuring WAVEsec. See
<http://www.wavesec.org>.
Normally, the default key for this host (the one with no host
identities specified for it) is the one extracted. The --id option
overrides this, causing extraction of the key labeled with the
specified identity, if any. The specified identity must exactly match
the identity in the file; in particular, the comparison is
case-sensitive.
There may also be multiple keys with the same identity. All keys are
numbered based upon their linear sequence in the file (including all
include directives)
The --file option overrides the default for where the key information
should be found, and takes it from the specified secretfile.
DIAGNOSTICS
A complaint about “no pubkey line found” indicates that the host has a
key but it was generated with an old version of FreeS/WAN and does not
contain the information that showhostkey needs.
FILES
/etc/ipsec.secrets
SEE ALSOipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)HISTORY
Written for the Linux FreeS/WAN project <http://www.freeswan.org> by
Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.
BUGS
Arguably, rather than just reporting the no-IN-KEY-line-found problem,
showhostkey should be smart enough to run the existing key through
rsasigkey with the --oldkey option, to generate a suitable output line.
The --id option assumes that the identity appears on the same line as
the : RSA { that begins the key proper.
AUTHOR
Paul Wouters
placeholder to suppress warning
libreswan 12/16/2012 IPSEC_SHOWHOSTKEY(8)
