tcpkey - Manages the Security AssociationDatabase (SADB) for TCP
tcpkey [ -nvp ]
tcpkey [ -nv ] -f filename
tcpkey -c filename
tcpkey [-nvp ] [ delete | get ] { EXTENSION value.. }
tcpkey [ -nvp ] flush
tcpkey [-nvp ] dump
tcpkey [-nv] -s filename
The tcpkey command is used to manually manipulate the tcp(7p) MD5 security association database.
tcpkey uses a PF_KEY socket and the message types SADB_ADD, SADB_DELETE, SADB_GET, SADB_UPDATE, and SADB_FLUSH. You must be a superuser to use this command.
The following options are supported:
Analogous to the –f option, except that the input is not executed but only checked for syntactical correctness. Errors are reported to stderr.
Reads commands from an input file. The lines of the input file are identical to the command line language.
Prevents attempts to print host and network names symbolically when reporting actions. This is useful, when all the name servers are down or are not reachable.
Paranoid. Does not print any keying material. Instead of an actual hexadecimal digit, it prints an X when this flag is turned on.
The opposite of the –f option. If '-' is given for a filename, then the output goes to the standard output. A snapshot of all current entries will be output in a form readable by the –f option.
Verbose. Prints the messages being sent to the PF_KEY socket, and prints raw seconds values for lifetimes.
The following subcommands are supported:
Adds an SA. The add subcommand involves the transfer of keying material, and therefore it cannot be invoked from the shell, lest the keys are visible in ps(1) output. It can be used either from the interactive tcpkey> prompt or in a command file specified by the –f option. The add subcommand accepts all extension-value pairs described below.
Deletes a specific SA. If the SA is in use, it will be marked delete and will not be used for a new connection setup, whereas, any existing connections will continue to use it.
Looks up and displays a security association.
Removes all SAs.
Displays all SAs.
Prints a help message.
Commands like add, delete, get, and update require certain extensions and associated values to be specified.
Specifies the authentication algorithm. Currently only md5 is supported
Source address of the SA.
Destination address of the SA.
Source port number
Destination port number
MD5 authentication string. If the string contains space, it must be enclosed in double quotes. Only ASCII characters are supported, and hexadecimal keys are not supported.Maximum string length can be 128 characters.
SAs can only be setup between the same inet family.
The following example shows how to empty all SAs.
example# tcpkey flushExample 2 Adding an SA
The following example shows how to add an SA.
example# tcpkey
tcpkey> add src 192.168.1.1 dst 192.168.1.2 dport 32000 authalg md5 \
authstring sunmicro
tcpkey> exit
Example 3 Displaying all SAs
The following example shows to display all SAs.
example# tcpkey dump
Base message (version 2) type DUMP, SA type TCP Signature.
Message length 576 bytes, seq=2, pid=100939.
SA: Authentication algorithm = MD5
SRC: Source address (proto=6/tcp)
SRC: AF_INET: port 0, 192.168.1.1 <unknown>.
DST: Destination address (proto=6/tcp)
DST: AF_INET: port 32000, 192.168.1.2 <unknown>.
AST: Authentication string.
AST: sunmicro
Default configuration file used at boot time. See "Service Management Facility" and SECURITY for more information.
See attributes(5) for descriptions of the following attributes:
|
tcp(7P), getsocket (3C)