/usr/lib/ipsec/newhostkey is in libreswan 3.23-4.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 | #! /bin/sh
#
# generate new key for this host
#
# Copyright (C) 2001, 2002 Henry Spencer.
# Copyright (C) 2014 Paul Wouters <pwouters@redhat.com>
# Copyright (C) 2014, 2016 Tuomo Soini <tis@foobar.fi>
# Copyright (C) 2016, Andrew Cagney <cagney@gnu.org>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
me="ipsec newhostkey"
usage="Usage: $me [--output filename] [--seeddev device] [--bits n] \\
[--quiet] [--hostname host] [--nssdir /var/lib/ipsec/nss] [--password password] "
bits=
verbose=
host=
seeddev="--seeddev /dev/random"
output=
nssdir="/var/lib/ipsec/nss"
password=
for dummy; do
case "$1" in
--bits)
bits="${2}"
shift
;;
--quiet)
verbose=
;;
--hostname)
host="--hostname ${2}"
shift
;;
--output)
output="${2}"
shift
;;
--verbose)
verbose="--verbose"
;;
--version)
echo "${me} $IPSEC_VERSION"
exit 0
;;
--random)
echo "${me} warning: --random is obsoleted, using --seeddev" >&2
seeddev="--seeddev ${2}"
shift
;;
--seeddev)
seeddev="--seeddev ${2}"
shift
;;
--configdir)
echo "${me} warning: --configdir is obsoleted, use --nssdir" >&2
nssdir="${2}"
shift
;;
--nssdir)
nssdir="${2}"
shift
;;
--password)
password="--password ${2}"
shift
;;
--help)
echo "$usage"
exit 0
;;
--)
shift
break
;;
-*)
echo "${me}: unknown option \`$1'" >&2
exit 2
;;
*)
break
;;
esac
shift
done
if [ -n "${output}" -a -d "${output}" ]; then
echo "ERROR: output file should be a secrets file, not a directory"
exit 255
fi
if [ -n "${output}" -a -s "${output}" ]; then
printf "%s: WARNING: file \"%s\" exists, appending to it\n" "${0}" "${output}" >&2
fi
if [ ! -d ${nssdir} ]; then
echo "No such directory: ${nssdir}"
exit 255
fi
certutil -L -d "sql:${nssdir}" >/dev/null 2>/dev/null
RETVAL=$?
if [ ${RETVAL} -eq 255 ]; then
echo "NSS database in ${nssdir} not initialized."
echo " Please run 'ipsec initnss --nssdir ${nssdir}'"
exit 255
fi
key=$(ipsec rsasigkey ${verbose} ${seeddev} --nssdir ${nssdir} ${password} ${host} ${bits})
RETVAL=$?
if [ ${RETVAL} -ne 0 ]; then
exit ${RETVAL}
fi
out()
(
echo ': RSA {'
printf "%s\n" "${key}"
echo ' }'
echo '# do not change the indenting of that "}"'
)
# Write out the #ckaid= and #pubkey= lines
# echo "${key}" | sed -n 's/.*#\([a-z]*)=/\1/p'
if [ -n "${output}" ]; then
umask 077
TEMPFILE=$(mktemp ${output}.XXXXXXX)
RETVAL=$?
if [ ${RETVAL} -gt 0 ]; then
echo "${me}: error creating temporary file, aborting" >&2
exit ${RETVAL}
fi
if [ -f ${output} ]; then
cat ${output} >> ${TEMPFILE}
fi
out >> ${TEMPFILE}
mv ${TEMPFILE} ${output}
fi
|