This file is indexed.

/usr/lib/ipsec/newhostkey is in libreswan 3.23-4.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#! /bin/sh
#
# generate new key for this host
#
# Copyright (C) 2001, 2002  Henry Spencer.
# Copyright (C) 2014 Paul Wouters <pwouters@redhat.com>
# Copyright (C) 2014, 2016 Tuomo Soini <tis@foobar.fi>
# Copyright (C) 2016, Andrew Cagney <cagney@gnu.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#

me="ipsec newhostkey"
usage="Usage: $me [--output filename] [--seeddev device] [--bits n] \\
    [--quiet] [--hostname host] [--nssdir /var/lib/ipsec/nss] [--password password] "

bits=
verbose=
host=
seeddev="--seeddev /dev/random"
output=
nssdir="/var/lib/ipsec/nss"
password=
for dummy; do
    case "$1" in
	--bits)
	    bits="${2}"
	    shift
	    ;;
	--quiet)
	    verbose=
	    ;;
	--hostname)
	    host="--hostname ${2}"
	    shift
	    ;;
	--output)
	    output="${2}"
	    shift
	    ;;
	--verbose)
	    verbose="--verbose"
	    ;;
	--version)
	    echo "${me} $IPSEC_VERSION"
	    exit 0
	    ;;
	--random)
	    echo "${me} warning: --random is obsoleted, using --seeddev" >&2
	    seeddev="--seeddev ${2}"
	    shift
	    ;;
	--seeddev)
	    seeddev="--seeddev ${2}"
	    shift
	    ;;
	--configdir)
	    echo "${me} warning: --configdir is obsoleted, use --nssdir" >&2
	    nssdir="${2}"
	    shift
	    ;;
	--nssdir)
	    nssdir="${2}"
	    shift
	    ;;
	--password)
	    password="--password ${2}"
	    shift
	    ;;
	--help)
	    echo "$usage"
	    exit 0
	    ;;
	--)
	    shift
	    break
	    ;;
	-*)
	    echo "${me}: unknown option \`$1'" >&2
	    exit 2
	    ;;
	*)
	    break
	    ;;
    esac
    shift
done

if [ -n "${output}" -a -d "${output}" ]; then
    echo "ERROR: output file should be a secrets file, not a directory"
    exit 255
fi

if [ -n "${output}" -a -s "${output}" ]; then
    printf "%s: WARNING: file \"%s\" exists, appending to it\n" "${0}" "${output}" >&2
fi

if [ ! -d ${nssdir} ]; then
    echo "No such directory: ${nssdir}"
    exit 255
fi

certutil -L -d "sql:${nssdir}" >/dev/null 2>/dev/null
RETVAL=$?
if [ ${RETVAL} -eq 255 ]; then
    echo "NSS database in ${nssdir} not initialized."
    echo "    Please run 'ipsec initnss --nssdir ${nssdir}'"
    exit 255
fi

key=$(ipsec rsasigkey ${verbose} ${seeddev} --nssdir ${nssdir} ${password} ${host} ${bits})
RETVAL=$?
if [ ${RETVAL} -ne 0 ]; then
    exit ${RETVAL}
fi

out()
(
    echo ': RSA	{'
    printf "%s\n" "${key}"
    echo '	}'
    echo '# do not change the indenting of that "}"'
)

# Write out the #ckaid= and #pubkey= lines
# echo "${key}" | sed -n 's/.*#\([a-z]*)=/\1/p'

if [ -n "${output}" ]; then
    umask 077
    TEMPFILE=$(mktemp ${output}.XXXXXXX)
    RETVAL=$?
    if [ ${RETVAL} -gt 0 ]; then
	echo "${me}: error creating temporary file, aborting" >&2
	exit ${RETVAL}
    fi
    if [ -f ${output} ]; then
       cat ${output} >> ${TEMPFILE}
    fi
    out >> ${TEMPFILE}
    mv ${TEMPFILE} ${output}
fi