other versions
- wheezy 1:2.6.37-3+deb7u1
IPSEC_RANBITS(8) | [FIXME: manual] | IPSEC_RANBITS(8) |
NAME¶
ipsec_newhostkey - generate a new raw RSA authentication key for a hostSYNOPSIS¶
ipsec
newhostkey [[--configdiranssdbdir] |
[--password password]] [[--quiet] | [--verbose]] [--bits
bits] [--hostname hostname]
--output filename
DESCRIPTION¶
newhostkey outputs (into filename, which can be ´-´ for standard output) an RSA private key suitable for this host, in /etc/ipsec.secrets format (see ipsec.secrets(5)) using the --quiet option per default. The --output option is mandatory. The specified filename is created under umask 077 if nonexistent; if it already exists and is non-empty, a warning message about that is sent to standard error, and the output is appended to the file. The --quiet option suppresses both the rsasigkey narrative and the existing-file warning message. When compiled with NSS support, --configdir specifies the nss configuration directory where the certificate key, and modsec databases reside. There is no default value, though /etc/ipsec.d might be sensible choice. When compiled with NSS support, --password specifies a module authentication password that may be required if FIPS mode is enabled The --bits option specifies the number of bits in the key; the current default is 2192 and we do not recommend use of anything shorter unless unusual constraints demand it. The --hostname option is passed through to rsasigkey to tell it what host name to label the output with (via its --hostname option). The output format is that of rsasigkey, with bracketing added to complete the ipsec.secrets format. In the usual case, where ipsec.secrets contains only the hostâ��s own private key, the output of newhostkey is sufficient as a complete ipsec.secrets file.FILES¶
/dev/random, /dev/urandomSEE ALSO¶
ipsec_rsasigkey(8), ipsec.secrets(5)HISTORY¶
Written for the Linux FreeS/WAN project < http://www.freeswan.org> by Henry Spencer.BUGS¶
As with rsasigkey, the run time is difficult to predict, since depletion of the system�s randomness pool can cause arbitrarily long waits for random bits, and the prime-number searches can also take unpre dictable (and potentially large) amounts of CPU time. See ipsec_rsasigkey(8) for some typical performance numbers. A higher-level tool which could handle the clerical details of changing to a new key would be helpful. The requirement for --output is a blemish, but private keys are extremely sensitive information and unusual precautions seem justified.10/06/2010 | [FIXME: source] |