GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
IPSEC_SHOWHOSTKEY(8) Executable programs IPSEC_SHOWHOSTKEY(8)

ipsec_showhostkey - show host's authentication key

ipsec showhostkey [--verbose] {--version | --list | --dump | --left | --right | --ipseckey}
[--ckaid ckaid | --rsaid rsaid]
[--gateway gateway] [--precedence precedence]
[--nssdir nssdir] [--password password]

Showhostkey outputs (on standard output) a public key suitable for this host, in the format specified, using the host key information stored in the NSS database.

In general, since only the super-user can access the NSS database, only the super-user can display the public key information.

--version
Print the libreswan version, then exit.

--verbose

Increase the verbosity.

--nssdir nssdir

Specify the libreswan directory that contains the NSS database (default /usr/local/etc/ipsec.d).

--password password

Specify the password to use when accessing the NSS database (default contained in /usr/local/etc/ipsec.d/nsspassword).

--list
List the private keys.

--dump

List, with more details, the private keys.

--ckaid ckaid
Select the public key to display using the NSS ckaid.

--rsaid rsaid

Select the public key to display using the RSA key ID.

--left, --right

Print the selected public key in ipsec.conf(5) format, as a leftrsasigkey or rightrsasigkey parameter respectively. For example, --left might give (with the key data trimmed down for clarity): 

leftrsasigkey=0sAQOF8tZ2...+buFuFn/

--ipseckey

Print the selected public key in a format suitable for use as opportunistic-encryption DNS IPSECKEY record format (RFC 4025). A gateway can be specified with the --gateway, which currently supports IPv4 and IPv6 addresses. For the host name, the value returned by gethostname is used, with a . appended.

For example, --ipseckey --gateway 10.11.12.13 might give (with the key data trimmed for clarity):

IN    IPSECKEY  10 1 2 10.11.12.13  AQOF8tZ2...+buFuFn/"

--gateway gateway

For --ipseckey, specify the gateway to display with the DNS IPSECKEY record.

--precedence precedence

For --ipseckey, specify the precedence to display with the DNS IPSECKEY record.

A complaint about “no pubkey line found” indicates that the host has a key but it was generated with an old version of FreeS/WAN and does not contain the information that showhostkey needs.

/usr/local/etc/ipsec.d, /usr/local/etc/ipsec.d/nsspassword

ipsec.conf(5), ipsec rsasigkey(8) ipsec newhostkey(8)

Written for the Linux FreeS/WAN project <https://www.freeswan.org> by Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.

Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should be smart enough to run the existing key through rsasigkey with the --oldkey option, to generate a suitable output line.

Paul Wouters
placeholder to suppress warning
05/26/2022 libreswan
Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.