5. cpkey - Manages the Security AssociationDatabase (SADB) for TCP tcpkey

cpkey - Manages the Security AssociationDatabase (SADB) for TCP tcpkey 


  • System Administration Commands					    tcpkey(1M)



NAME
       tcpkey -	Manages	the Security AssociationDatabase (SADB)	for TCP

SYNOPSIS
       tcpkey [	-nvp ]


       tcpkey [	-nv ] -f filename


       tcpkey -c filename


       tcpkey [-nvp ] [	delete | get ] { EXTENSION value.. }


       tcpkey [	-nvp ] flush


       tcpkey [-nvp ] dump


       tcpkey [-nv] -s filename


DESCRIPTION
       The tcpkey command is used to manually manipulate the tcp(7p) MD5 secu-
       rity association	database.


       tcpkey  uses  a	PF_KEY	socket	and  the   message   types   SADB_ADD,
       SADB_DELETE, SADB_GET, SADB_UPDATE, and SADB_FLUSH. You must be a supe-
       ruser to	use this command.

OPTIONS
       The following options are supported:

       -c [filename]	Analogous to the -f option, except that	the  input  is
			not executed but only checked for syntactical correct-
			ness. Errors are reported to stderr.


       -f [filename]	Reads commands from an input file. The	lines  of  the
			input file are identical to the	command	line language.


       -n		Prevents attempts to print host	and network names sym-
			bolically when reporting actions. This is useful, when
			all the	name servers are down or are not reachable.


       -p		Paranoid.  Does	not print any keying material. Instead
			of an actual hexadecimal digit,	it prints  an  X  when
			this flag is turned on.


       -s [filename]	The  opposite  of the -f option. If '-'	is given for a
			filename, then the output goes to the standard output.
			A  snapshot of all current entries will	be output in a
			form readable by the -f	option.


       -v		Verbose. Prints	the messages being sent	to the	PF_KEY
			socket,	and prints raw seconds values for lifetimes.


SUB-COMMANDS
       The following subcommands are supported:

       add	 Adds  an SA. The add subcommand involves the transfer of key-
		 ing material, and therefore it	cannot	be  invoked  from  the
		 shell,	 lest  the keys	are visible in ps(1) output. It	can be
		 used either from the interactive tcpkey> prompt or in a  com-
		 mand  file  specified	by  the	 -f option. The	add subcommand
		 accepts all extension-value pairs described below.


       delete	 Deletes a specific SA.	If the SA is in	use, it	will be	marked
		 delete	 and  will  not	 be  used  for a new connection	setup,
		 whereas, any existing connections will	continue to use	it.


       get	 Looks up and displays a security association.


       flush	 Removes all SAs.


       dump	 Displays all SAs.


       help	 Prints	a help message.


   EXTENSION VALUE TYPES
       Commands	like add, delete, get, and update require  certain  extensions
       and associated values to	be specified.

       auth_alg	<string>      Specifies	 the  authentication  algorithm.  Cur-
			      rently only md5 is supported


       src address | name     Source address of	the SA.
       src6 IPv6 address

       dst <addr>|<name>      Destination address of the SA.
       dst6 IPv6 address

       sport <portnum>	      Source port number


       dport <portnum>	      Destination port number


       authstring <string>    MD5 authentication string. If  the  string  con-
			      tains  space,  it	 must  be  enclosed  in	double
			      quotes. Only ASCII characters are	supported, and
			      hexadecimal   keys   are	not  supported.Maximum
			      string length can	be 128 characters.



       SAs can only be setup between the same inet family.

EXAMPLES
       Example 1 Emptying all SAs


       The following example shows how to empty	all SAs.


	 example# tcpkey flush



       Example 2 Adding	an SA


       The following example shows how to add an SA.


	 example# tcpkey
	       tcpkey> add src 192.168.1.1 dst 192.168.1.2 dport 32000 authalg md5		 authstring sunmicro
	       tcpkey> exit



       Example 3 Displaying all	SAs


       The following example shows to display all SAs.


	 example# tcpkey dump
	      Base message (version 2) type DUMP, SA type TCP Signature.
	      Message length 576 bytes,	seq=2, pid=100939.
	      SA: Authentication algorithm = MD5
	      SRC: Source address (proto=6/tcp)
	      SRC: AF_INET: port 0, 192.168.1.1	<unknown>.
	      DST: Destination address (proto=6/tcp)
	      DST: AF_INET: port 32000,	192.168.1.2 <unknown>.
	      AST: Authentication string.
	      AST: sunmicro



FILES
       /etc/inet/secret/tcpkeys	   Default configuration  file	used  at  boot
				   time.  See	"Service  Management Facility"
				   and SECURITY	for more information.


ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:




       +-----------------------------+-----------------------------+
       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Committed			   |
       +-----------------------------+-----------------------------+
       |Availability		     |system/network		   |
       +-----------------------------+-----------------------------+

SEE ALSO
       tcp(7P),	getsocket(3C)



SunOS 5.11			  23 Mar 2015			    tcpkey(1M)
solaris manpages 2041
Log in to reply
 

© Lightnetics 2024