ipsec-showhostkey - Man Page

show host's authentication key

Synopsis

ipsec showhostkey [--verbose] {--version | --list | --dump | --left | --right | --ipseckey | --pem}
[--ckaid ckaid | --rsaid rsaid]
[--gateway gateway] [--precedence precedence]
[--nssdir nssdir] [--password password]

Description

Showhostkey outputs (on standard output) a public key suitable for this host, in the format specified, using the host key information stored in the NSS database.

In general, since only the super-user can access the NSS database, only the super-user can display the public key information.

Common Options

--version

Print the libreswan version, then exit.

--verbose

Increase the verbosity.

--nssdir nssdir

Specify the libreswan directory that contains the NSS database (default /var/lib/ipsec/nss).

--password password

Specify the password to use when accessing the NSS database (default contained in /etc/ipsec.d/nsspassword).

List Options

--list

List the private keys.

--dump

List, with more details, the private keys.

Public Key Options

--ckaid ckaid

Select the public key to display using the NSS ckaid.

--rsaid rsaid

Select the public key to display using the RSA key ID.

--pem

Print the selected public key in PEM encoded ASN.1 format.

--left,  --right

Print the selected public key in ipsec.conf(5) format, as a leftrsasigkey or rightrsasigkey parameter respectively. For example, --left might give (with the key data trimmed down for clarity):

leftrsasigkey=0sAQOF8tZ2...+buFuFn/

--ipseckey

Print the selected public key in a format suitable for use as opportunistic-encryption DNS IPSECKEY record format (RFC 4025). A gateway can be specified with the --gateway, which currently supports IPv4 and IPv6 addresses. For the host name, the value returned by gethostname is used, with a . appended.

For example, --ipseckey --gateway 10.11.12.13 might give (with the key data trimmed for clarity):

IN    IPSECKEY  10 1 2 10.11.12.13  AQOF8tZ2...+buFuFn/"

--gateway gateway

For --ipseckey, specify the gateway to display with the DNS IPSECKEY record.

--precedence precedence

For --ipseckey, specify the precedence to display with the DNS IPSECKEY record.

Diagnostics

A complaint about “no pubkey line found” indicates that the host has a key but it was generated with an old version of FreeS/WAN and does not contain the information that showhostkey needs.

Files

/var/lib/ipsec/nss, /etc/ipsec.d/nsspassword

See Also

ipsec.conf(5), ipsec-rsasigkey(8), ipsec-newhostkey(8)

History

Written for the Linux FreeS/WAN project <https://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.

Bugs

Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should be smart enough to run the existing key through rsasigkey with the --oldkey option, to generate a suitable output line.

Author

Paul Wouters

Referenced By

ipsec(8), ipsec-add(8), ipsec-briefconnectionstatus(8), ipsec-briefstatus(8), ipsec-certutil(8), ipsec-checkconfig(8), ipsec-checknflog(8), ipsec-checknss(8), ipsec-connectionstatus(8), ipsec-crlutil(8), ipsec-delete(8), ipsec-down(8), ipsec-ecdsasigkey(8), ipsec-fetchcrls(8), ipsec-fipsstatus(8), ipsec-globalstatus(8), ipsec-import(8), ipsec-initnss(8), ipsec-listall(8), ipsec-listcacerts(8), ipsec-listcerts(8), ipsec-listcrls(8), ipsec-listen(8), ipsec-listpubkeys(8), ipsec-modutil(8), ipsec-newhostkey(8), ipsec-ondemand(8), ipsec-pk12util(8), ipsec-purgeocsp(8), ipsec-redirect(8), ipsec-replace(8), ipsec-rereadall(8), ipsec-rereadcerts(8), ipsec-rereadsecrets(8), ipsec-restart(8), ipsec-rsasigkey(8), ipsec.secrets(5), ipsec-showstates(8), ipsec-shuntstatus(8), ipsec-start(8), ipsec-status(8), ipsec-stop(8), ipsec-trafficstatus(8), ipsec-unroute(8), ipsec-up(8), ipsec-vfychain(8).

10/08/2024 Libreswan 5.1 Executable programs