NAME
ipsec_showhostkey - show host's authentication keySYNOPSIS
ipsec
showhostkey [--verbose]
{--version | --list | --dump | --left | --right | --ipseckey | --pem}
[--ckaid ckaid | --rsaid rsaid]
[--gateway gateway] [--precedence precedence]
[--nssdir nssdir] [--password password]
DESCRIPTION
Showhostkey outputs (on standard output) a public key suitable for this host, in the format specified, using the host key information stored in the NSS database. In general, since only the super-user can access the NSS database, only the super-user can display the public key information.Common Options
--versionPrint the libreswan version, then exit.
--verbose
Increase the verbosity.
--nssdir nssdir
Specify the libreswan directory that contains
the NSS database (default /var/lib/ipsec/nss).
--password password
Specify the password to use when accessing the
NSS database (default contained in /etc/ipsec.d/nsspassword).
List Options
--listList the private keys.
--dump
List, with more details, the private
keys.
Public Key Options
--ckaid ckaidSelect the public key to display using the NSS
ckaid.
--rsaid rsaid
Select the public key to display using the RSA
key ID.
--pem
Print the selected public key in PEM encoded
ASN.1 format.
--left, --right
Print the selected public key in
ipsec.conf(5) format, as a leftrsasigkey or
rightrsasigkey parameter respectively. For example, --left might
give (with the key data trimmed down for clarity):
--ipseckey
leftrsasigkey=0sAQOF8tZ2...+buFuFn/
Print the selected public key in a format
suitable for use as opportunistic-encryption DNS IPSECKEY record format (RFC
4025). A gateway can be specified with the --gateway, which currently
supports IPv4 and IPv6 addresses. For the host name, the value returned by
gethostname is used, with a . appended.
For example, --ipseckey --gateway 10.11.12.13 might give (with the key
data trimmed for clarity):
--gateway gateway
IN IPSECKEY 10 1 2 10.11.12.13 AQOF8tZ2...+buFuFn/"
For --ipseckey, specify the
gateway to display with the DNS IPSECKEY record.
--precedence precedence
For --ipseckey, specify the
precedence to display with the DNS IPSECKEY record.
DIAGNOSTICS
A complaint about “no pubkey line found” indicates that the host has a key but it was generated with an old version of FreeS/WAN and does not contain the information that showhostkey needs.FILES
/var/lib/ipsec/nss, /etc/ipsec.d/nsspasswordSEE ALSO
ipsec.conf(5), ipsec rsasigkey(8) ipsec newhostkey(8)HISTORY
Written for the Linux FreeS/WAN project < https://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.BUGS
Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should be smart enough to run the existing key through rsasigkey with the --oldkey option, to generate a suitable output line.AUTHOR
Paul Woutersplaceholder to suppress warning
06/02/2023 | libreswan |