Provided by: libreswan_4.7-1ubuntu1_amd64 bug


       ipsec_showhostkey - show host's authentication key


       ipsec showhostkey [--verbose]
             {--version | --list | --dump | --left | --right | --ipseckey}
             [--ckaid ckaid | --rsaid rsaid]
             [--gateway gateway] [--precedence precedence]
             [--nssdir nssdir] [--password password]


       Showhostkey outputs (on standard output) a public key suitable for this host, in the
       format specified, using the host key information stored in the NSS database.

       In general, since only the super-user can access the NSS database, only the super-user can
       display the public key information.

   Common Options
           Print the libreswan version, then exit.

           Increase the verbosity.

       --nssdir nssdir
           Specify the libreswan directory that contains the NSS database (default

       --password password
           Specify the password to use when accessing the NSS database (default contained in

   List Options
           List the private keys.

           List, with more details, the private keys.

   Public Key Options
       --ckaid ckaid
           Select the public key to display using the NSS ckaid.

       --rsaid rsaid
           Select the public key to display using the RSA key ID.

       --left, --right
           Print the selected public key in ipsec.conf(5) format, as a leftrsasigkey or
           rightrsasigkey parameter respectively. For example, --left might give (with the key
           data trimmed down for clarity):


           Print the selected public key in a format suitable for use as opportunistic-encryption
           DNS IPSECKEY record format (RFC 4025). A gateway can be specified with the --gateway,
           which currently supports IPv4 and IPv6 addresses. For the host name, the value
           returned by gethostname is used, with a .  appended.

           For example, --ipseckey --gateway might give (with the key data trimmed
           for clarity):

               IN    IPSECKEY  10 1 2  AQOF8tZ2...+buFuFn/"

       --gateway gateway
           For --ipseckey, specify the gateway to display with the DNS IPSECKEY record.

       --precedence precedence
           For --ipseckey, specify the precedence to display with the DNS IPSECKEY record.


       A complaint about “no pubkey line found” indicates that the host has a key but it was
       generated with an old version of FreeS/WAN and does not contain the information that
       showhostkey needs.


       /var/lib/ipsec/nss, /etc/ipsec.d/nsspassword


       ipsec.conf(5), ipsec rsasigkey(8) ipsec newhostkey(8)


       Written for the Linux FreeS/WAN project <> by Henry Spencer.
       Updated by Paul Wouters for the IPSECKEY format.


       Arguably, rather than just reporting the no-IN-KEY-line-found problem, showhostkey should
       be smart enough to run the existing key through rsasigkey with the --oldkey option, to
       generate a suitable output line.


       Paul Wouters
           placeholder to suppress warning