270 lines
5.4 KiB
HTML
270 lines
5.4 KiB
HTML
Content-type: text/html
|
|
|
|
<HTML><HEAD><TITLE>Manpage of IPSEC_SHOWHOSTKEY</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>IPSEC_SHOWHOSTKEY</H1>
|
|
Section: Maintenance Commands (8)<BR>Updated: 5 March 2002<BR><A HREF="#index">Index</A>
|
|
<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
ipsec showhostkey - show host's authentication key
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<B>ipsec</B>
|
|
|
|
<B>showhostkey</B>
|
|
|
|
[
|
|
<B>--key</B>
|
|
|
|
] [
|
|
<B>--left</B>
|
|
|
|
] [
|
|
<B>--right</B>
|
|
|
|
] [
|
|
<B>--txt</B>
|
|
|
|
gateway
|
|
] [
|
|
<B>--dhclient</B>
|
|
|
|
] [
|
|
<B>--file</B>
|
|
|
|
secretfile
|
|
] [
|
|
<B>--id</B>
|
|
|
|
identity
|
|
]
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
<I>Showhostkey</I>
|
|
|
|
outputs (on standard output) a public key suitable for this host,
|
|
in the format specified,
|
|
using the host key information stored in
|
|
<I>/etc/ipsec.secrets</I>.
|
|
|
|
In general only the super-user can run this command,
|
|
since only he can read
|
|
<I>ipsec.secrets</I>.
|
|
|
|
<P>
|
|
|
|
The
|
|
<B>--txt</B>
|
|
|
|
option causes the output to be in opportunistic-encryption DNS TXT record
|
|
format,
|
|
with the specified
|
|
<I>gateway</I>
|
|
|
|
value.
|
|
If information about how the key was generated is available,
|
|
that is provided as a DNS-file comment.
|
|
For example,
|
|
<B>--txt 10.11.12.13</B>
|
|
|
|
might give (with the key data trimmed for clarity):
|
|
<P>
|
|
|
|
<PRE>
|
|
; RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000
|
|
IN TXT "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"
|
|
</PRE>
|
|
|
|
<P>
|
|
|
|
No name is supplied in the TXT record
|
|
because there are too many possibilities,
|
|
depending on how it will be used.
|
|
If the text string is longer than 255 bytes,
|
|
it is split up into multiple strings (matching the restrictions of
|
|
the DNS TXT binary format).
|
|
If any split is needed, the first split will be at the start of the key:
|
|
this increases the chances that later hand editing will work.
|
|
<P>
|
|
|
|
The
|
|
<B>--left</B>
|
|
|
|
and
|
|
<B>--right</B>
|
|
|
|
options cause the output to be in
|
|
<I><A HREF="ipsec.conf.5.html">ipsec.conf</A></I>(5)
|
|
|
|
format, as a
|
|
<B>leftrsasigkey</B>
|
|
|
|
or
|
|
<B>rightrsasigkey</B>
|
|
|
|
parameter respectively.
|
|
Again, generation information is included if available.
|
|
For example,
|
|
<B>--left</B>
|
|
|
|
might give (with the key data trimmed down for clarity):
|
|
<P>
|
|
|
|
<PRE>
|
|
# RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000
|
|
leftrsasigkey=0sAQOF8tZ2...+buFuFn/
|
|
</PRE>
|
|
|
|
<P>
|
|
|
|
The
|
|
<B>--dhclient</B>
|
|
|
|
option cause the output to be suitable for inclusion in
|
|
<I><A HREF="dhclient.conf.5.html">dhclient.conf</A></I>(5)
|
|
|
|
as part of configuring WAVEsec.
|
|
See <<A HREF="http://www.wavesec.org">http://www.wavesec.org</A>>.
|
|
<P>
|
|
|
|
If
|
|
<B>--key</B>
|
|
|
|
is specified,
|
|
the output format is the text form of a DNS KEY record;
|
|
the host name is the one included in the key information
|
|
(or, if that is not available,
|
|
the output of
|
|
<B>hostname --fqdn</B>),
|
|
|
|
with a
|
|
<B>.</B>
|
|
|
|
appended.
|
|
Again, generation information is included if available.
|
|
For example (with the key data trimmed down for clarity):
|
|
<P>
|
|
|
|
<PRE>
|
|
; RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000
|
|
xy.example.com. IN KEY 0x4200 4 1 AQOF8tZ2...+buFuFn/
|
|
</PRE>
|
|
|
|
<P>
|
|
|
|
Normally, the default key for this host
|
|
(the one with no host identities specified for it) is the one extracted.
|
|
The
|
|
<B>--id</B>
|
|
|
|
option overrides this,
|
|
causing extraction of the key labeled with the specified
|
|
<I>identity</I>,
|
|
|
|
if any.
|
|
The specified
|
|
<I>identity</I>
|
|
|
|
must
|
|
<I>exactly</I>
|
|
|
|
match the identity in the file;
|
|
in particular, the comparison is case-sensitive.
|
|
<P>
|
|
|
|
The
|
|
<B>--file</B>
|
|
|
|
option overrides the default for where the key information should be
|
|
found, and takes it from the specified
|
|
<I>secretfile</I>.
|
|
|
|
<A NAME="lbAE"> </A>
|
|
<H2>DIAGNOSTICS</H2>
|
|
|
|
A complaint about ``no pubkey line found'' indicates that the
|
|
host has a key but it was generated with an old version of FreeS/WAN
|
|
and does not contain the information that
|
|
<I>showhostkey</I>
|
|
|
|
needs.
|
|
<A NAME="lbAF"> </A>
|
|
<H2>FILES</H2>
|
|
|
|
/etc/ipsec.secrets
|
|
<A NAME="lbAG"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<A HREF="ipsec.secrets.5.html">ipsec.secrets</A>(5), <A HREF="ipsec.conf.5.html">ipsec.conf</A>(5), <A HREF="ipsec_rsasigkey.8.html">ipsec_rsasigkey</A>(8)
|
|
<A NAME="lbAH"> </A>
|
|
<H2>HISTORY</H2>
|
|
|
|
Written for the Linux FreeS/WAN project
|
|
<<A HREF="http://www.freeswan.org">http://www.freeswan.org</A>>
|
|
by Henry Spencer.
|
|
<A NAME="lbAI"> </A>
|
|
<H2>BUGS</H2>
|
|
|
|
Arguably,
|
|
rather than just reporting the no-IN-KEY-line-found problem,
|
|
<I>showhostkey</I>
|
|
|
|
should be smart enough to run the existing key through
|
|
<I>rsasigkey</I>
|
|
|
|
with the
|
|
<B>--oldkey</B>
|
|
|
|
option, to generate a suitable output line.
|
|
<P>
|
|
|
|
The need to specify the gateway address (etc.) for
|
|
<B>--txt</B>
|
|
|
|
is annoying, but there is no good way to determine it automatically.
|
|
<P>
|
|
|
|
There should be a way to specify the priority value for TXT records;
|
|
currently it is hardwired to
|
|
<B>10</B>.
|
|
|
|
<P>
|
|
|
|
The
|
|
<B>--id</B>
|
|
|
|
option assumes that the
|
|
<I>identity</I>
|
|
|
|
appears on the same line as the
|
|
<B>: RSA {</B>
|
|
|
|
that begins the key proper.
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT><A HREF="#lbAB">NAME</A><DD>
|
|
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DT><A HREF="#lbAE">DIAGNOSTICS</A><DD>
|
|
<DT><A HREF="#lbAF">FILES</A><DD>
|
|
<DT><A HREF="#lbAG">SEE ALSO</A><DD>
|
|
<DT><A HREF="#lbAH">HISTORY</A><DD>
|
|
<DT><A HREF="#lbAI">BUGS</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 21:40:18 GMT, November 11, 2003
|
|
</BODY>
|
|
</HTML>
|