diff options
Diffstat (limited to 'doc/manpage.d/ipsec_showhostkey.8.html')
| -rw-r--r-- | doc/manpage.d/ipsec_showhostkey.8.html | 269 |
1 files changed, 269 insertions, 0 deletions
diff --git a/doc/manpage.d/ipsec_showhostkey.8.html b/doc/manpage.d/ipsec_showhostkey.8.html new file mode 100644 index 000000000..90a16d5ee --- /dev/null +++ b/doc/manpage.d/ipsec_showhostkey.8.html @@ -0,0 +1,269 @@ +Content-type: text/html + +<HTML><HEAD><TITLE>Manpage of IPSEC_SHOWHOSTKEY</TITLE> +</HEAD><BODY> +<H1>IPSEC_SHOWHOSTKEY</H1> +Section: Maintenance Commands (8)<BR>Updated: 5 March 2002<BR><A HREF="#index">Index</A> +<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR> + + +<A NAME="lbAB"> </A> +<H2>NAME</H2> + +ipsec showhostkey - show host's authentication key +<A NAME="lbAC"> </A> +<H2>SYNOPSIS</H2> + +<B>ipsec</B> + +<B>showhostkey</B> + +[ +<B>--key</B> + +] [ +<B>--left</B> + +] [ +<B>--right</B> + +] [ +<B>--txt</B> + +gateway +] [ +<B>--dhclient</B> + +] [ +<B>--file</B> + +secretfile +] [ +<B>--id</B> + +identity +] +<A NAME="lbAD"> </A> +<H2>DESCRIPTION</H2> + +<I>Showhostkey</I> + +outputs (on standard output) a public key suitable for this host, +in the format specified, +using the host key information stored in +<I>/etc/ipsec.secrets</I>. + +In general only the super-user can run this command, +since only he can read +<I>ipsec.secrets</I>. + +<P> + +The +<B>--txt</B> + +option causes the output to be in opportunistic-encryption DNS TXT record +format, +with the specified +<I>gateway</I> + +value. +If information about how the key was generated is available, +that is provided as a DNS-file comment. +For example, +<B>--txt 10.11.12.13</B> + +might give (with the key data trimmed for clarity): +<P> + +<PRE> + ; RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000 + IN TXT "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/" +</PRE> + +<P> + +No name is supplied in the TXT record +because there are too many possibilities, +depending on how it will be used. +If the text string is longer than 255 bytes, +it is split up into multiple strings (matching the restrictions of +the DNS TXT binary format). +If any split is needed, the first split will be at the start of the key: +this increases the chances that later hand editing will work. +<P> + +The +<B>--left</B> + +and +<B>--right</B> + +options cause the output to be in +<I><A HREF="ipsec.conf.5.html">ipsec.conf</A></I>(5) + +format, as a +<B>leftrsasigkey</B> + +or +<B>rightrsasigkey</B> + +parameter respectively. +Again, generation information is included if available. +For example, +<B>--left</B> + +might give (with the key data trimmed down for clarity): +<P> + +<PRE> + # RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000 + leftrsasigkey=0sAQOF8tZ2...+buFuFn/ +</PRE> + +<P> + +The +<B>--dhclient</B> + +option cause the output to be suitable for inclusion in +<I><A HREF="dhclient.conf.5.html">dhclient.conf</A></I>(5) + +as part of configuring WAVEsec. +See <<A HREF="http://www.wavesec.org">http://www.wavesec.org</A>>. +<P> + +If +<B>--key</B> + +is specified, +the output format is the text form of a DNS KEY record; +the host name is the one included in the key information +(or, if that is not available, +the output of +<B>hostname --fqdn</B>), + +with a +<B>.</B> + +appended. +Again, generation information is included if available. +For example (with the key data trimmed down for clarity): +<P> + +<PRE> + ; RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000 + xy.example.com. IN KEY 0x4200 4 1 AQOF8tZ2...+buFuFn/ +</PRE> + +<P> + +Normally, the default key for this host +(the one with no host identities specified for it) is the one extracted. +The +<B>--id</B> + +option overrides this, +causing extraction of the key labeled with the specified +<I>identity</I>, + +if any. +The specified +<I>identity</I> + +must +<I>exactly</I> + +match the identity in the file; +in particular, the comparison is case-sensitive. +<P> + +The +<B>--file</B> + +option overrides the default for where the key information should be +found, and takes it from the specified +<I>secretfile</I>. + +<A NAME="lbAE"> </A> +<H2>DIAGNOSTICS</H2> + +A complaint about ``no pubkey line found'' indicates that the +host has a key but it was generated with an old version of FreeS/WAN +and does not contain the information that +<I>showhostkey</I> + +needs. +<A NAME="lbAF"> </A> +<H2>FILES</H2> + +/etc/ipsec.secrets +<A NAME="lbAG"> </A> +<H2>SEE ALSO</H2> + +<A HREF="ipsec.secrets.5.html">ipsec.secrets</A>(5), <A HREF="ipsec.conf.5.html">ipsec.conf</A>(5), <A HREF="ipsec_rsasigkey.8.html">ipsec_rsasigkey</A>(8) +<A NAME="lbAH"> </A> +<H2>HISTORY</H2> + +Written for the Linux FreeS/WAN project +<<A HREF="http://www.freeswan.org">http://www.freeswan.org</A>> +by Henry Spencer. +<A NAME="lbAI"> </A> +<H2>BUGS</H2> + +Arguably, +rather than just reporting the no-IN-KEY-line-found problem, +<I>showhostkey</I> + +should be smart enough to run the existing key through +<I>rsasigkey</I> + +with the +<B>--oldkey</B> + +option, to generate a suitable output line. +<P> + +The need to specify the gateway address (etc.) for +<B>--txt</B> + +is annoying, but there is no good way to determine it automatically. +<P> + +There should be a way to specify the priority value for TXT records; +currently it is hardwired to +<B>10</B>. + +<P> + +The +<B>--id</B> + +option assumes that the +<I>identity</I> + +appears on the same line as the +<B>: RSA {</B> + +that begins the key proper. +<P> + +<HR> +<A NAME="index"> </A><H2>Index</H2> +<DL> +<DT><A HREF="#lbAB">NAME</A><DD> +<DT><A HREF="#lbAC">SYNOPSIS</A><DD> +<DT><A HREF="#lbAD">DESCRIPTION</A><DD> +<DT><A HREF="#lbAE">DIAGNOSTICS</A><DD> +<DT><A HREF="#lbAF">FILES</A><DD> +<DT><A HREF="#lbAG">SEE ALSO</A><DD> +<DT><A HREF="#lbAH">HISTORY</A><DD> +<DT><A HREF="#lbAI">BUGS</A><DD> +</DL> +<HR> +This document was created by +<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>, +using the manual pages.<BR> +Time: 21:40:18 GMT, November 11, 2003 +</BODY> +</HTML> |