|
ipsec newhostkey − generate a new raw RSA authentication key for a host |
|
ipsec newhostkey [−−quiet | −−verbose] [−−bits bits] [−−hostname hostname] −−output filename |
|
newhostkey outputs (into filename, which can be ’−’ for standard output) an RSA private key suitable for this host, in /etc/ipsec.secrets format (see ipsec.secrets(5)) using the −−quiet option per default. The −−output option is mandatory. The specified filename is created under umask 077 if nonexistent; if it already exists and is non−empty, a warning message about that is sent to standard error, and the output is appended to the file. The −−quiet option suppresses both the rsasigkey narrative and the existing−file warning message. The −−bits option specifies the number of bits in the key; the current default is 2192 and we do not recommend use of anything shorter unless unusual constraints demand it. The −−hostname option is passed through to rsasigkey to tell it what host name to label the output with (via its −−hostname option). The output format is that of rsasigkey, with bracketing added to complete the ipsec.secrets format. In the usual case, where s own private key, the output of newhostkey is sufficient as a complete ipsec.secrets file. ipsec.secrets contains only the hostâ |
|
/dev/random, /dev/urandom |
|
Written for the Linux FreeS/WAN project <http://www.freeswan.org: http://www.freeswan.org> by Henry Spencer. |
|
As with rsasigkey, the run time is difficult to predict, since s randomness pool can cause arbitrarily long waits for random bits, and the prime−number searches can also take unpre dictable (and potentially large) amounts of CPU time. See ipsec_rsasigkey(8) for some typical performance numbers. depletion of the systemâ A higher−level tool which could handle the clerical details of changing to a new key would be helpful. The requirement for −−output is a blemish, but private keys are extremely sensitive information and unusual precautions seem justified. |