Content-type: text/html Manpage of IPSEC_SHOWHOSTKEY

IPSEC_SHOWHOSTKEY

Section: Maintenance Commands (8)
Updated: 11 June 2001
Index Return to Main Contents
 

NAME

ipsec showhostkey - show host's authentication key  

SYNOPSIS

ipsec showhostkey [ --left ] [ --right ] [ --txt gateway ] [ --file secretfile ] [ --id identity ]  

DESCRIPTION

Showhostkey outputs (on standard output) a public key suitable for this host, using the host key information stored in /etc/ipsec.secrets. In general only the super-user can run this command, since only he can read ipsec.secrets.

By default, the output format is the text form of a DNS KEY record; the host name is the one included in the key information (or, if that is not available, the output of hostname --fqdn), with a . appended. If information about how the key was generated is available, that is provided as a DNS-file comment. For example (with the key data trimmed down for clarity):

  ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
  xy.example.com.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/

The --txt option causes the output to be in opportunistic-encryption DNS TXT record format, with the specified gateway value. Again, generation information is included if available. For example, --txt 10.11.12.13 might give (with the key data trimmed for clarity):

  ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
      IN TXT  "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"

No name is supplied in the TXT record because there are too many possibilities, depending on how it will be used.

The --left and --right options cause the output to be in ipsec.conf(5) format, as a leftrsasigkey or rightrsasigkey parameter respectively. Again, generation information is included if available. For example, --left might give (with the key data trimmed down for clarity):

  # RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
  leftrsasigkey=0x0103cc2a86fcf440...cf1011abb82d1

Normally, the default key for this host is the one extracted. The --id option overrides this, causing extraction of the key labeled with the specified identity, if any.

The --file option overrides the default for where the key information should be found, and takes it from the specified secretfile.  

DIAGNOSTICS

A complaint about ``no IN KEY line found'' indicates that the host has a key but it was generated with an old version of FreeS/WAN and does not contain the information that showhostkey needs.  

FILES

/etc/ipsec.secrets  

SEE ALSO

ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)  

HISTORY

Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Henry Spencer.  

BUGS

Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should be smart enough to run the existing key through rsasigkey with the --oldkey option, to generate a suitable output line.

The need to specify the gateway address (etc.) for --txt is annoying, but there is no good way to determine it automatically.

There should be a way to specify the priority value for TXT records; currently it is hardwired to 10.

The --id option assumes that the identity appears on the same line as the : RSA { that begins the key proper.


 

Index

NAME
SYNOPSIS
DESCRIPTION
DIAGNOSTICS
FILES
SEE ALSO
HISTORY
BUGS

This document was created by man2html, using the manual pages.
Time: 05:09:33 GMT, June 19, 2001