1 .\"# @(#)COPYRIGHT 1.1a (NRL) 17 August 1995
5 .\"All of the documentation and software included in this software
6 .\"distribution from the US Naval Research Laboratory (NRL) are
7 .\"copyrighted by their respective developers.
9 .\"This software and documentation were developed at NRL by various
10 .\"people. Those developers have each copyrighted the portions that they
11 .\"developed at NRL and have assigned All Rights for those portions to
12 .\"NRL. Outside the USA, NRL also has copyright on the software
13 .\"developed at NRL. The affected files all contain specific copyright
14 .\"notices and those notices must be retained in any derived work.
18 .\"NRL grants permission for redistribution and use in source and binary
19 .\"forms, with or without modification, of the software and documentation
20 .\"created at NRL provided that the following conditions are met:
22 .\"1. Redistributions of source code must retain the above copyright
23 .\" notice, this list of conditions and the following disclaimer.
24 .\"2. Redistributions in binary form must reproduce the above copyright
25 .\" notice, this list of conditions and the following disclaimer in the
26 .\" documentation and/or other materials provided with the distribution.
27 .\"3. All advertising materials mentioning features or use of this software
28 .\" must display the following acknowledgement:
30 .\" This product includes software developed at the Information
31 .\" Technology Division, US Naval Research Laboratory.
33 .\"4. Neither the name of the NRL nor the names of its contributors
34 .\" may be used to endorse or promote products derived from this software
35 .\" without specific prior written permission.
37 .\"THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS
38 .\"IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
39 .\"TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
40 .\"PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR
41 .\"CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
42 .\"EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
43 .\"PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
44 .\"PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
45 .\"LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
46 .\"NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
47 .\"SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
49 .\"The views and conclusions contained in the software and documentation
50 .\"are those of the authors and should not be interpreted as representing
51 .\"official policies, either expressed or implied, of the US Naval
52 .\"Research Laboratory (NRL).
54 .\"----------------------------------------------------------------------*/
56 .\" $ANA: keyadmin.8,v 1.3 1996/06/13 20:15:57 wollman Exp $
57 .\" $FreeBSD: src/usr.sbin/keyadmin/keyadmin.8,v 1.5.2.6 2003/03/11 21:13:50 trhodes Exp $
64 .Nd manually manipulate the kernel key management database
67 .Op Ar command Op Ar args
71 utility is used to manually enter security associations into the kernel
72 key/security association database. (See
75 Almost any operation offered in the
77 API is available to privileged users running
79 Until there is an implementation of an automated key management protocol,
80 which will manipulate the key database in a manner similar to how
84 manipulates the routing tables,
86 is the only way of establishing security associations.
90 is invoked without any arguments, it will enter an interactive mode, where
92 .Dq Ar command Op Ar args
96 .Dq Ar command Op Ar args .
98 can be one of the following:
100 .It Ic del Ar type spi source destination
102 Delete a security association between
112 delete esp 90125 anderson.yes.org rabin.yes.org
114 .It Ic get Ar type spi source destination
116 Retrieve (and print) a security association between
126 get ah 5150 eddie.vanhalen.com alex.vanhalen.com
130 Display the entire security association table. WARNING: This prints a lot
132 .It Ic load Ar filename
134 Load security association information from a file formatted as documented in
140 load keys from the standard input.
141 .It Ic save Ar filename
143 Save security association information to a file formatted as documented in
149 place the key file out on the standard output. (This can be used as a sort
155 command must create a new file; it will not write into an
156 existing file. This is to prevent writing into a world-readable file, or a
157 named pipe or UNIX socket (see
161 .It Ic help Op command
163 Offer brief help without an argument, or slightly more specific help on a
167 Erase all entries in the kernel security association table.
170 The following values for
172 are only available by using
174 in its interactive mode of operation:
176 .It Ic add Ar type spi source destination transform key
179 Add a security association of a particular
191 If a transform requires an initialization vector, the
193 argument contains it. This command is available only in interactive mode
196 makes no attempt to destroy its argument vector after use. A malicious user
199 command could determine security keys if
201 were allowed to be used straight from the command line. Example:
203 add esp 2112 temples.syrinx.org priests.syrinx.org des-cbc \\
204 a652a476a652a476 87ac9876deac9876
209 Exit interaction with
211 An EOF will also end interaction with
223 utility first appeared in NRL's
225 IPv6 networking distribution.
229 started its life as a pipe dream thought up by Dan McDonald, and came to
230 life through the excruciating efforts of Ran Atkinson, Dan McDonald,
231 Craig Metz, and Bao Phan.
232 The NRL version of the program was originally called
236 because of the conflict with
241 utility needs a -n flag like
243 to avoid name lookups.
249 commands currently display the first 30 or so entries.