Provided by: openswan_2.4.4-3ubuntu1_i386 bug

NAME

       ipsec showhostkey - show host’s authentication key

SYNOPSIS

       ipsec  showhostkey [ --key ] [ --left ] [ --right ] [ --txt gateway ] [
       --dhclient ] [ --file secretfile ] [ --id identity ]

DESCRIPTION

       Showhostkey outputs (on standard output) a public key suitable for this
       host, in the format specified, using the host key information stored in
       /etc/ipsec.secrets.  In  general  only  the  super-user  can  run  this
       command, since only he can read ipsec.secrets.

       The  --txt  option  causes the output to be in opportunistic-encryption
       DNS  TXT  record  format,  with  the  specified  gateway   value.    If
       information  about  how  the  key  was  generated is available, that is
       provided as a DNS-file comment.  For example, --txt  10.11.12.13  might
       give (with the key data trimmed for clarity):

         ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
             IN TXT  "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"

       No  name  is  supplied  in  the  TXT  record because there are too many
       possibilities, depending on how it will be used.  If the text string is
       longer  than  255 bytes, it is split up into multiple strings (matching
       the restrictions of the DNS  TXT  binary  format).   If  any  split  is
       needed, the first split will be at the start of the key: this increases
       the chances that later hand editing will work.

       The --left and --right options cause the output to be in  ipsec.conf(5)
       format,  as  a  leftrsasigkey or rightrsasigkey parameter respectively.
       Again, generation information is included if available.   For  example,
       --left might give (with the key data trimmed down for clarity):

         # RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
         leftrsasigkey=0sAQOF8tZ2...+buFuFn/

       The  --dhclient option cause the output to be suitable for inclusion in
       dhclient.conf(5)    as    part    of    configuring    WAVEsec.     See
       <http://www.wavesec.org>.

       If  --key is specified, the output format is the text form of a DNS KEY
       record; the host name is the one included in the key  information  (or,
       if  that  is  not  available,  the output of hostname --fqdn), with a .
       appended.  Again, generation information is included if available.  For
       example (with the key data trimmed down for clarity):

         ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
         xy.example.com.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/

       Normally,  the  default  key  for  this  host  (the  one  with  no host
       identities specified for it) is the one  extracted.   The  --id  option
       overrides  this,  causing  extraction  of  the  key  labeled  with  the
       specified identity, if any.  The specified identity must exactly  match
       the  identity  in  the  file;  in  particular,  the comparison is case-
       sensitive.

       The --file option overrides the default for where the  key  information
       should be found, and takes it from the specified secretfile.

DIAGNOSTICS

       A  complaint about ‘‘no pubkey line found’’ indicates that the host has
       a key but it was generated with an old version of  FreeS/WAN  and  does
       not contain the information that showhostkey needs.

FILES

       /etc/ipsec.secrets

SEE ALSO

       ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)

HISTORY

       Written  for  the  Linux FreeS/WAN project <http://www.freeswan.org> by
       Henry Spencer.

BUGS

       Arguably, rather than just reporting the no-IN-KEY-line-found  problem,
       showhostkey  should  be  smart  enough  to run the existing key through
       rsasigkey with the --oldkey option, to generate a suitable output line.

       The  need  to specify the gateway address (etc.) for --txt is annoying,
       but there is no good way to determine it automatically.

       There should be a way to specify the priority value  for  TXT  records;
       currently it is hardwired to 10.

       The  --id  option assumes that the identity appears on the same line as
       the : RSA { that begins the key proper.

                                 5 March 2002             IPSEC_SHOWHOSTKEY(8)