Provided by: openswan_2.4.12+dfsg-1.3_i386 bug

NAME

       ipsec showhostkey - show host’s authentication key

SYNOPSIS

       ipsec showhostkey [--file secretfile] [--id identity]
              --dhclient | --left | --right | --txt gateway |
             --ipseckey <@fqdn|ip-addr> | --key | --help

DESCRIPTION

       Showhostkey outputs (on standard output) a public key suitable for this
       host, in the format specified, using the host key information stored in
       /etc/ipsec.secrets. It generates records for Opportunistic Encryption -
       various formats are supported.

       In  general only the super-user can run this command, since only he can
       read ipsec.secrets.

       The --txt option causes the output to  be  in  opportunistic-encryption
       DNS TXT record format, with the specified gateway value. If information
       about how the key was generated is available, that  is  provided  as  a
       DNS-file  comment.  For example, --txt 10.11.12.13 might give (with the
       key data trimmed for clarity):

         ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
             IN TXT  "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"

       No name is supplied in the  TXT  record  because  there  are  too  many
       possibilities,  depending on how it will be used. If the text string is
       longer than 255 bytes, it is split up into multiple  strings  (matching
       the restrictions of the DNS TXT binary format). If any split is needed,
       the first split will be at the start of the  key:  this  increases  the
       chances that later hand editing will work.

       The  --left and --right options cause the output to be in ipsec.conf(5)
       format, as a leftrsasigkey or  rightrsasigkey  parameter  respectively.
       Again,  generation  information  is included if available. For example,
       --left might give (with the key data trimmed down for clarity):

         # RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
         leftrsasigkey=0sAQOF8tZ2...+buFuFn/

       The --dhclient option cause the output to be suitable for inclusion  in
       dhclient.conf(5)     as    part    of    configuring    WAVEsec.    See
       <http://www.wavesec.org: http://www.wavesec.org>.

       If --ipseckey is specified, the output format is the text form of a DNS
       IPSECKEY  record  as per RFC-4025. The host name is the one included in
       the key information (or, if  that  is  not  available,  the  output  of
       hostname --fqdn), with a . appended.

       If  --key is specified, the output format is the text form of a DNS KEY
       record; the host name is the one included in the key  information  (or,
       if  that  is  not  available,  the output of hostname --fqdn), with a .
       appended. Again, generation information is included if  available.  For
       example (with the key data trimmed down for clarity):

         ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
         xy.example.com.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/

       Note  that  the  KEY record has been restricted by RFC 3445 for DNS use
       only. Instead, the IPSECKEY record should be used using the  --ipseckey
       option.

       Normally,  the  default  key  for  this  host  (the  one  with  no host
       identities specified for it) is the  one  extracted.  The  --id  option
       overrides  this,  causing  extraction  of  the  key  labeled  with  the
       specified identity, if any. The specified identity must  exactly  match
       the   identity   in   the   file;  in  particular,  the  comparison  is
       case-sensitive.

       The --file option overrides the default for where the  key  information
       should be found, and takes it from the specified secretfile.

DIAGNOSTICS

no pubkey line foundâ indicates that the host has a key but it was generated with an old version of FreeS/WAN and does not contain the information that showhostkey needs.
       A complaint about â

FILES

       /etc/ipsec.secrets

SEE ALSO

       ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)

HISTORY

       Written  for  the  Linux  FreeS/WAN  project  <http://www.freeswan.org:
       http://www.freeswan.org> by Henry Spencer.

BUGS

       Arguably, rather than just reporting the no-IN-KEY-line-found  problem,
       showhostkey  should  be  smart  enough  to run the existing key through
       rsasigkey with the --oldkey option, to generate a suitable output line.

       The  need  to specify the gateway address (etc.) for --txt is annoying,
       but there is no good way to determine it automatically.

       There should be a way to specify the priority value  for  TXT  records;
       currently it is hardwired to 10.

       The  --id  option assumes that the identity appears on the same line as
       the : RSA { that begins the key proper.

                                                          IPSEC_SHOWHOSTKEY(8)