tcpkey(1m) - Manages the Security AssociationDatabase (SADB) for TCP

petulia3478

System Administration Commands                                      tcpkey(1M)



NAME
       tcpkey - Manages the Security AssociationDatabase (SADB) for TCP

SYNOPSIS
       tcpkey [ -nvp ]


       tcpkey [ -nv ] -f filename


       tcpkey -c filename


       tcpkey [-nvp ] [ delete | get ] { EXTENSION value.. }


       tcpkey [ -nvp ] flush


       tcpkey [-nvp ] dump


       tcpkey [-nv] -s filename


DESCRIPTION
       The tcpkey command is used to manually manipulate the tcp(7p) MD5 secu-
       rity association database.


       tcpkey  uses  a  PF_KEY  socket  and  the   message   types   SADB_ADD,
       SADB_DELETE, SADB_GET, SADB_UPDATE, and SADB_FLUSH. You must be a supe-
       ruser to use this command.

OPTIONS
       The following options are supported:

       -c [filename]    Analogous to the -f option, except that the  input  is
                        not executed but only checked for syntactical correct-
                        ness. Errors are reported to stderr.


       -f [filename]    Reads commands from an input file. The  lines  of  the
                        input file are identical to the command line language.


       -n               Prevents attempts to print host and network names sym-
                        bolically when reporting actions. This is useful, when
                        all the name servers are down or are not reachable.


       -p               Paranoid.  Does not print any keying material. Instead
                        of an actual hexadecimal digit, it prints  an  X  when
                        this flag is turned on.


       -s [filename]    The  opposite  of the -f option. If '-' is given for a
                        filename, then the output goes to the standard output.
                        A  snapshot of all current entries will be output in a
                        form readable by the -f option.


       -v               Verbose. Prints the messages being sent to the  PF_KEY
                        socket, and prints raw seconds values for lifetimes.


SUB-COMMANDS
       The following subcommands are supported:

       add       Adds  an SA. The add subcommand involves the transfer of key-
                 ing material, and therefore it cannot  be  invoked  from  the
                 shell,  lest  the keys are visible in ps(1) output. It can be
                 used either from the interactive tcpkey> prompt or in a  com-
                 mand  file  specified  by  the  -f option. The add subcommand
                 accepts all extension-value pairs described below.


       delete    Deletes a specific SA. If the SA is in use, it will be marked
                 delete  and  will  not  be  used  for a new connection setup,
                 whereas, any existing connections will continue to use it.


       get       Looks up and displays a security association.


       flush     Removes all SAs.


       dump      Displays all SAs.


       help      Prints a help message.


   EXTENSION VALUE TYPES
       Commands like add, delete, get, and update require  certain  extensions
       and associated values to be specified.

       auth_alg <string>      Specifies  the  authentication  algorithm.  Cur-
                              rently only md5 is supported


       src address | name     Source address of the SA.
       src6 IPv6 address

       dst <addr>|<name>      Destination address of the SA.
       dst6 IPv6 address

       sport <portnum>        Source port number


       dport <portnum>        Destination port number


       authstring <string>    MD5 authentication string. If  the  string  con-
                              tains  space,  it  must  be  enclosed  in double
                              quotes. Only ASCII characters are supported, and
                              hexadecimal   keys   are  not  supported.Maximum
                              string length can be 128 characters.



       SAs can only be setup between the same inet family.

EXAMPLES
       Example 1 Emptying all SAs


       The following example shows how to empty all SAs.


         example# tcpkey flush



       Example 2 Adding an SA


       The following example shows how to add an SA.


         example# tcpkey
               tcpkey> add src 192.168.1.1 dst 192.168.1.2 dport 32000 authalg md5               authstring sunmicro
               tcpkey> exit



       Example 3 Displaying all SAs


       The following example shows to display all SAs.


         example# tcpkey dump
              Base message (version 2) type DUMP, SA type TCP Signature.
              Message length 576 bytes, seq=2, pid=100939.
              SA: Authentication algorithm = MD5
              SRC: Source address (proto=6/tcp)
              SRC: AF_INET: port 0, 192.168.1.1 <unknown>.
              DST: Destination address (proto=6/tcp)
              DST: AF_INET: port 32000, 192.168.1.2 <unknown>.
              AST: Authentication string.
              AST: sunmicro



FILES
       /etc/inet/secret/tcpkeys    Default configuration  file  used  at  boot
                                   time.  See   "Service  Management Facility"
                                   and SECURITY for more information.


ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:




       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE         |      ATTRIBUTE VALUE        |
       +-----------------------------+-----------------------------+
       |Interface Stability          |Committed                    |
       +-----------------------------+-----------------------------+
       |Availability                 |system/network               |
       +-----------------------------+-----------------------------+

SEE ALSO
       tcp(7P), getsocket(3C)



SunOS 5.11                        23 Mar 2015                       tcpkey(1M)