Provided by: openswan_2.6.37-1_amd64 bug


       ipsec_showhostkey - show host´s authentication key


       ipsec showhostkey [--ipseckey [gateway]] [--left] [--right] [--dump] [--verbose]
             [--version] [--list] [--x509self] [--x509req] [--x509cert] [--txt gateway]
             [--dhclient] [--file secretfile] [--keynum count] [--id identity]


       Showhostkey outputs (on standard output) a public key suitable for this host, in the
       format specified, using the host key information stored in /etc/ipsec.secrets. In general
       only the super-user can run this command, since only he can read ipsec.secrets.

       The --txt option causes the output to be in opportunistic-encryption DNS TXT record
       format, with the specified gateway value. If information about how the key was generated
       is available, that is provided as a DNS-file comment. For example, --txt might
       give (with the key data trimmed for clarity):

             ; RSA 2048 bits   Sat Apr 15 13:53:22 2000
                 IN TXT  "X-IPsec-Server(10)= AQOF8tZ2...+buFuFn/"

       No name is supplied in the TXT record because there are too many possibilities, depending
       on how it will be used. If the text string is longer than 255 bytes, it is split up into
       multiple strings (matching the restrictions of the DNS TXT binary format). If any split is
       needed, the first split will be at the start of the key: this increases the chances that
       later hand editing will work.

       The --version option causes the version of the binary to be emitted, and nothing else.

       The --verbose may be present one or more times. Each occurance increases the verbosity

       The --left and --right options cause the output to be in ipsec.conf(5) format, as a
       leftrsasigkey or rightrsasigkey parameter respectively. Again, generation information is
       included if available. For example, --left might give (with the key data trimmed down for

             # RSA 2048 bits   Sat Apr 15 13:53:22 2000

       The --dhclient option cause the output to be suitable for inclusion in dhclient.conf(5) as
       part of configuring WAVEsec. See <>.

       If --ipseckey is specified, the output format is the text form of a DNS IPSECKEY record
       (see RFC4025); the host name is the one included in the key information (or, if that is
       not available, the output of hostname --fqdn), with a .  appended. The gateway
       information, if provided, is is included, otherwise, the gateway is assumed to be self,
       and to be of type FQDN. Generation information is included if available. For example (with
       the key data trimmed down for clarity):

             ; RSA 2048 bits   Sat Apr 15 13:53:22 2000
      IN   IPSECKEYKEY   floyd albert

             ; RSA 2048 bits   Sat Apr 15 13:53:22 2000
      IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/

       Normally, the default key for this host (the one with no host identities specified for it)
       is the one extracted. The --id option overrides this, causing extraction of the key
       labeled with the specified identity, if any. The specified identity must exactly match the
       identity in the file; in particular, the comparison is case-sensitive.

       There may also be multiple keys with the same identity. All keys are numbered based upon
       their linear sequence in the file (including all include directives)

       The --file option overrides the default for where the key information should be found, and
       takes it from the specified secretfile.


       A complaint about “no pubkey line found” indicates that the host has a key but it was
       generated with an old version of FreeS/WAN and does not contain the information that
       showhostkey needs.




       ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)


       Written for the Linux FreeS/WAN project <> by Henry Spencer.


       Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should
       be smart enough to run the existing key through rsasigkey with the --oldkey option, to
       generate a suitable output line.

       The need to specify the gateway address (etc.) for --txt is annoying, but there is no good
       way to determine it automatically.

       There should be a way to specify the priority value for TXT records; currently it is
       hardwired to 10.

       The --id option assumes that the identity appears on the same line as the : RSA { that
       begins the key proper.

[FIXME: source]                             10/06/2010                       IPSEC_SHOWHOSTKEY(8)