ipsec-showhostkey - Man Page
show host's authentication key
Synopsis
ipsec showhostkey [--verbose] {--version | --list | --dump | --left | --right | --ipseckey | --pem}
[--ckaid ckaid | --rsaid rsaid]
[--gateway gateway] [--precedence precedence]
[--nssdir nssdir] [--password password]
Description
Showhostkey outputs (on standard output) a public key suitable for this host, in the format specified, using the host key information stored in the NSS database.
In general, since only the super-user can access the NSS database, only the super-user can display the public key information.
Common Options
- --version
Print the libreswan version, then exit.
- --verbose
Increase the verbosity.
- --nssdir nssdir
Specify the libreswan directory that contains the NSS database (default /var/lib/ipsec/nss).
- --password password
Specify the password to use when accessing the NSS database (default contained in /etc/ipsec.d/nsspassword).
List Options
- --list
List the private keys.
- --dump
List, with more details, the private keys.
Public Key Options
- --ckaid ckaid
Select the public key to display using the NSS ckaid.
- --rsaid rsaid
Select the public key to display using the RSA key ID.
- --pem
Print the selected public key in PEM encoded ASN.1 format.
- --left, --right
Print the selected public key in ipsec.conf(5) format, as a leftrsasigkey or rightrsasigkey parameter respectively. For example, --left might give (with the key data trimmed down for clarity):
leftrsasigkey=0sAQOF8tZ2...+buFuFn/
- --ipseckey
Print the selected public key in a format suitable for use as opportunistic-encryption DNS IPSECKEY record format (RFC 4025). A gateway can be specified with the --gateway, which currently supports IPv4 and IPv6 addresses. For the host name, the value returned by gethostname is used, with a . appended.
For example, --ipseckey --gateway 10.11.12.13 might give (with the key data trimmed for clarity):
IN IPSECKEY 10 1 2 10.11.12.13 AQOF8tZ2...+buFuFn/"
- --gateway gateway
For --ipseckey, specify the gateway to display with the DNS IPSECKEY record.
- --precedence precedence
For --ipseckey, specify the precedence to display with the DNS IPSECKEY record.
Diagnostics
A complaint about “no pubkey line found” indicates that the host has a key but it was generated with an old version of FreeS/WAN and does not contain the information that showhostkey needs.
Files
/var/lib/ipsec/nss, /etc/ipsec.d/nsspassword
See Also
History
Written for the Linux FreeS/WAN project <https://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.
Bugs
Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should be smart enough to run the existing key through rsasigkey with the --oldkey option, to generate a suitable output line.
Author
Paul Wouters
Referenced By
ipsec(8), ipsec-add(8), ipsec-briefconnectionstatus(8), ipsec-briefstatus(8), ipsec-certutil(8), ipsec-checkconfig(8), ipsec-checknflog(8), ipsec-checknss(8), ipsec-connectionstatus(8), ipsec-crlutil(8), ipsec-delete(8), ipsec-down(8), ipsec-ecdsasigkey(8), ipsec-fetchcrls(8), ipsec-fipsstatus(8), ipsec-globalstatus(8), ipsec-import(8), ipsec-initnss(8), ipsec-listall(8), ipsec-listcacerts(8), ipsec-listcerts(8), ipsec-listcrls(8), ipsec-listen(8), ipsec-listpubkeys(8), ipsec-modutil(8), ipsec-newhostkey(8), ipsec-ondemand(8), ipsec-pk12util(8), ipsec-purgeocsp(8), ipsec-redirect(8), ipsec-replace(8), ipsec-rereadall(8), ipsec-rereadcerts(8), ipsec-rereadsecrets(8), ipsec-restart(8), ipsec-rsasigkey(8), ipsec.secrets(5), ipsec-showstates(8), ipsec-shuntstatus(8), ipsec-start(8), ipsec-status(8), ipsec-stop(8), ipsec-trafficstatus(8), ipsec-unroute(8), ipsec-up(8), ipsec-vfychain(8).