NAME

ipsec_showhostkey - show host's authentication key

SYNOPSIS

ipsec showhostkey [--verbose] {--version | --list | --dump | --left | --right | --ipseckey | --pem}
 
[--ckaid  ckaid | --rsaid rsaid]
 
[--gateway  gateway] [--precedence precedence]
 
[--nssdir  nssdir] [--password password]

DESCRIPTION

Showhostkey outputs (on standard output) a public key suitable for this host, in the format specified, using the host key information stored in the NSS database.
In general, since only the super-user can access the NSS database, only the super-user can display the public key information.

Common Options

--version
Print the libreswan version, then exit.
--verbose
Increase the verbosity.
--nssdir nssdir
Specify the libreswan directory that contains the NSS database (default /var/lib/ipsec/nss).
--password password
Specify the password to use when accessing the NSS database (default contained in /etc/ipsec.d/nsspassword).

List Options

--list
List the private keys.
--dump
List, with more details, the private keys.

Public Key Options

--ckaid ckaid
Select the public key to display using the NSS ckaid.
--rsaid rsaid
Select the public key to display using the RSA key ID.
--pem
Print the selected public key in PEM encoded ASN.1 format.
--left, --right
Print the selected public key in ipsec.conf(5) format, as a leftrsasigkey or rightrsasigkey parameter respectively. For example, --left might give (with the key data trimmed down for clarity):
 
leftrsasigkey=0sAQOF8tZ2...+buFuFn/
	  
--ipseckey
Print the selected public key in a format suitable for use as opportunistic-encryption DNS IPSECKEY record format (RFC 4025). A gateway can be specified with the --gateway, which currently supports IPv4 and IPv6 addresses. For the host name, the value returned by gethostname is used, with a . appended.
 
For example, --ipseckey --gateway 10.11.12.13 might give (with the key data trimmed for clarity):
 
IN    IPSECKEY  10 1 2 10.11.12.13  AQOF8tZ2...+buFuFn/"
	  
--gateway gateway
For --ipseckey, specify the gateway to display with the DNS IPSECKEY record.
--precedence precedence
For --ipseckey, specify the precedence to display with the DNS IPSECKEY record.

DIAGNOSTICS

A complaint about “no pubkey line found” indicates that the host has a key but it was generated with an old version of FreeS/WAN and does not contain the information that showhostkey needs.

FILES

/var/lib/ipsec/nss, /etc/ipsec.d/nsspassword

SEE ALSO

ipsec.conf(5), ipsec rsasigkey(8) ipsec newhostkey(8)

HISTORY

Written for the Linux FreeS/WAN project < https://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.

BUGS

Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should be smart enough to run the existing key through rsasigkey with the --oldkey option, to generate a suitable output line.

AUTHOR

Paul Wouters
placeholder to suppress warning

Recommended readings

Pages related to ipsec_showhostkey you should read also:

Questions & Answers

Helpful answers and articles about ipsec_showhostkey you may found on these sites:
Stack Overflow Server Fault Super User Unix & Linux Ask Ubuntu Network Engineering DevOps Raspberry Pi Webmasters Google Search