Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
IPSEC_SHOWHOSTKEY(8)	      Executable programs	  IPSEC_SHOWHOSTKEY(8)

NAME
       ipsec_showhostkey - show	host's authentication key

SYNOPSIS

       ipsec showhostkey [--verbose]
	     {--version	| --list | --dump | --left | --right | --ipseckey | --pem}
	     [--ckaid ckaid | --rsaid rsaid]
	     [--gateway	gateway] [--precedence precedence]
	     [--nssdir nssdir] [--password password]

DESCRIPTION
       Showhostkey outputs (on standard	output)	a public key suitable for this
       host, in	the format specified, using the	host key information stored in
       the NSS database.

       In general, since only the super-user can access	the NSS	database, only
       the super-user can display the public key information.

   Common Options
       --version
	   Print the libreswan version,	then exit.

       --verbose
	   Increase the	verbosity.

       --nssdir	nssdir
	   Specify the libreswan directory that	contains the NSS database
	   (default /usr/local/etc/ipsec.d).

       --password password
	   Specify the password	to use when accessing the NSS database
	   (default contained in /usr/local/etc/ipsec.d/nsspassword).

   List	Options
       --list
	   List	the private keys.

       --dump
	   List, with more details, the	private	keys.

   Public Key Options
       --ckaid ckaid
	   Select the public key to display using the NSS ckaid.

       --rsaid rsaid
	   Select the public key to display using the RSA key ID.

       --pem
	   Print the selected public key in PEM	encoded	ASN.1 format.

       --left, --right
	   Print the selected public key in ipsec.conf(5) format, as a
	   leftrsasigkey or rightrsasigkey parameter respectively. For
	   example, --left might give (with the	key data trimmed down for
	   clarity):

	       leftrsasigkey=0sAQOF8tZ2...+buFuFn/

       --ipseckey
	   Print the selected public key in a format suitable for use as
	   opportunistic-encryption DNS	IPSECKEY record	format (RFC 4025). A
	   gateway can be specified with the --gateway,	which currently
	   supports IPv4 and IPv6 addresses. For the host name,	the value
	   returned by gethostname is used, with a .  appended.

	   For example,	--ipseckey --gateway 10.11.12.13 might give (with the
	   key data trimmed for	clarity):

	       IN    IPSECKEY  10 1 2 10.11.12.13  AQOF8tZ2...+buFuFn/"

       --gateway gateway
	   For --ipseckey, specify the gateway to display with the DNS
	   IPSECKEY record.

       --precedence precedence
	   For --ipseckey, specify the precedence to display with the DNS
	   IPSECKEY record.

DIAGNOSTICS
       A complaint about "no pubkey line found"	indicates that the host	has a
       key but it was generated	with an	old version of FreeS/WAN and does not
       contain the information that showhostkey	needs.

FILES
       /usr/local/etc/ipsec.d, /usr/local/etc/ipsec.d/nsspassword

SEE ALSO
       ipsec.conf(5), ipsec rsasigkey(8) ipsec newhostkey(8)

HISTORY
       Written for the Linux FreeS/WAN project <https://www.freeswan.org> by
       Henry Spencer. Updated by Paul Wouters for the IPSECKEY format.

BUGS
       Arguably, rather	than just reporting the	no-IN-KEY-line-found problem,
       showhostkey should be smart enough to run the existing key through
       rsasigkey with the --oldkey option, to generate a suitable output line.

AUTHOR
       Paul Wouters
	   placeholder to suppress warning

libreswan			  05/13/2025		  IPSEC_SHOWHOSTKEY(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ipsec_showhostkey&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help