tcpkey
— Manages
the Security Association Database (SADB) for TCP
tcpkey |
[-nvp ] -f
filename |
tcpkey |
[-nvp ] get
{Extension value...} |
tcpkey |
[-nvp ] delete
{Extension value...} |
tcpkey |
[-nvp ] save
[filename] |
The tcpkey
command is used to manually
manipulate the tcp(4P) security
association database.
While the tcpkey
utility has only a
limited number of general options, it supports a rich command language. The
user may specify requests to be delivered by means of a programmatic
interface specific for manual keying. See
pf_key(4P). When
tcpkey
is invoked with no arguments, it will enter
an interactive mode which prints a prompt (“tcpkey>”) to
the standard output and accepts commands from the standard input until the
end-of-file is reached.
tcpkey
uses a
PF_KEY
socket and the message types
SADB_ADD
, SADB_DELETE
,
SADB_GET
and SADB_FLUSH
.
Thus, you must have the PRIV_SYS_IP_CONFIG
privilege
to use this command.
-c
[filename]
- Analogous to the
-f
option (see following), except
that the input is not executed but only checked for syntactical
correctness. Errors are reported to stderr
. This
option is provided to debug configurations without making changes.
-f
[filename]
- Read commands from an input file, filename. The
lines of the input file are identical to the command line language. The
save
command can generate files readable by the
-f
argument.
-n
- Prevent attempts to print host and network names symbolically when
reporting actions. This is useful, for example, when all name servers are
down or are otherwise unreachable.
-p
- Paranoid. Do not print any keying material, even if saving. Instead of an
actual hexadecimal digit, print an ‘X’ when this flag is
turned on.
-v
- Verbose. Print the messages being sent into the
PF_KEY
socket, and print raw seconds values for
lifetimes.
add
- Add an SA. Because it involves the transfer of keying material, it cannot
be invoked from the shell, lest the keys be visible in
ps(1) output. It can be used either from
the interactive tcpkey> prompt or in a command file specified by the
-f
option. The add
command
accepts all extension-value pairs described below.
delete
- Delete a specific SA. This command requires the src
extension, and the dest extension. If the SA is in use,
it will be marked for deletion and no longer used for new connection
setup. However, existing connections will continue to use it.
get
- Look up and display a security association. Like
delete
, this command only requires
src and dest.
flush
- Remove all SAs.
dump
- Will display all SAs. Because of the large amount of data generated by
this command, there is no guarantee that all SA information will be
successfully delivered, or that this command will even complete.
save
- Is the command analog of the
-s
option.
- help
- Prints a brief summary of commands.
Commands like add
,
delete
, get
, and
update
require that certain extensions and
associated values be specified. The extensions will be listed here, followed
by the commands that use them, and the commands that require them.
src
addr | name
- Source address of the SA.
src6
IPv6addr
-
dst
addr | name
- Destination address of the SA.
dst6
IPv6addr
-
sport
port
- Source port number. If unspecified, the SA will match any source port.
dport
port
- Destination port number. If unspecified, the SA will match any destination
port.
authalg
algorithm
- Authentication algorithm. The only supported value is
‘md5’.
authstring
string
- Authentication string. Only ASCII characters are supported and the
authentication string must be no longer than 80 characters.
- /etc/inet/secret/tcpkeys
- Default configuration file used at boot time.
- Example
1 Empting Out All SAs
-
- Example
2 Saving All SAs To Standard Output
-
- Example
3 Adding a pair of SAs
-
Note that the second SA specifies 179 as the
source port so
that it matches reply traffic.
# tcpkey
tcpkey> add src 192.168.1.1 dst 192.168.1.2 dport 179 \
authalg md5 authstring s3kr1t
tcpkey> add src 192.168.1.2 dst 192.168.1.1 sport 179 \
authalg md5 authstring s3kr1t
tcpkey> exit
- Example
4 Displaying all SAs
-
# tcpkey dump
Base message (version 2) type DUMP, SA type TCPSIG.
Message length 112 bytes, seq=5, pid=649091.
SRC: Source address (proto=6/tcp)
SRC: AF_INET6: port 0, ::ffff:192.168.1.1/32 (host.example.com).
DST: Destination address (proto=6/tcp)
DST: AF_INET6: port 179, ::ffff:192.168.1.2/32 <unknown>.
AST: Authentication string.
AST: "s3kr1t"
The command line interface of tcpkey
is
Uncommitted.
The command line interface of tcpkey
is
Not-An-Interface
and may change at any time.