Overview of vpka


vpka is a public-key assistant program which allows a user with no public key file on the server to upload a public key for use in authentication.

Using vpka

The following is the format for vpka commands:

vpka [options] hostname

Options

The following table lists the command-line options that can be used with vpka commands.

Option

Argument

Description

-a

key file

The key file to add or upload to the public-key directory on the remote machine; multiple instances of this option are allowed.

--accepthostkeys

 

Instructs vpka to automatically accept host keys.

Note: This option should be used with caution. If a host key has changed, it will invalidate the ability to detect a man-in-the-middle attack.

--auth

authentication list

The authentication methods to be used in a comma separated list. Valid methods are keyboard-interactive, publickey, password, gss-ms-kerberos, and gssapi.

-c

cipher

The cipher [An algorithm used to encrypt data at varying levels of security. Examples include 3DES, AES, Blowfish, RC4, and Twofish.] that the SSH2 server will use. Protocol strings or display strings are permitted.

--check-crls

 

Instructs the application to check certificate revocation lists (CRLs) to ensure that certificates (and any in its chain) have not been listed as revoked.

-d

key file

The key file to delete from the remote machine. The specified key file must exist on the local machine for this option to work. If the file does not exist on the local machine, you must use the -f option to remove the key. Multiple instances of the -d option are allowed.

-f

fingerprint key

The fingerprint key file to delete from the remote machine. This option can be used instead of the -d option when a key file does not exist on the local machine but the fingerprint is available. To view all the keys on the remote machine, use the -s option. Multiple instances of the -f option are allowed.

--http-proxy

hostname[:port]

Specifies the http proxy to be used during connection.

-i

file

The identity file to use for public-key authentication or a PKCS #12 file to use for X.509 authentication.

vpka also supports accessing certificates through PKCS #11. The locator prefix (e.g., “pkcs11::”) and suffix (e.g., “::standard”) specify which public-key algorithm to use. To use this feature, specify a string similar to one of the following examples but using your PKCS #11 .dll file:

pkcs11::prov=c:\windows\system32\opensc-pkcs11.dll

pkcs11::prov=c:\windows\system32\pkcs11.dll::cert

The above examples use the x509v3-sign-rsa algorithm.

pkcs11::prov=c:\windows\system32\opensc-pkcs11.dll::standard

The above example uses the x509v3-sign-rsa-sha1 algorithm.

pkcs11key::prov=c:\windows\system32\pkcs11.dll

The above example uses the ssh-rsa algorithm, which can be used to send the certificate as a raw key.

--kex

KEX

Specifies which key exchange algorithm to use. Valid algorithms are diffie-hellman, diffie-hellman-group14, diffie-hellman-group, diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, Kerberos, and any OID in dotted number format) supported by the GSSAPI provider.

-l

username

Specifies the remote username.

-m

MAC

The MAC that the SSH2 server will use.

--noprompt

 

Fails if prompted for user input.

-p

port

Specifies the port to be used during connection.

--passphrase

passphrase

The passphrase for your private key.

--pw

password

Your user password.

-s

 

Show all remote keys.

--socks4

server[:port]

Socks version 4 server to be used during connection.

--socks5

server[:port]

Socks version 5 server to be used during connection.

--spn

hostname

Allows you to manually specify the SPN (Service Principal Name). The SPN is almost always of the form host@<server canonical name>. An example of a valid string is "host@mail.mydomain.com". If the server is in a different Kerberos realm, the realm name may need to be appended (e.g., host@mail.mydomain.com@KRBS.MYDOMAIN.COM.

-v

 

Displays verbose connection debug information.

-z

n

The compression level (0-9). By default, the compression level is set to 5. Setting the level to 0 turns off compression. When compression is on, vpka attempts to use zlib@openssh.com, zlib, and no compression, in that order, when making a connection.

-?
--help

 

Displays usage.

Examples

The following are examples of vpka command-line use.

Upload your public key to "host" for "user"

vpka --auth password -a c:\ temp\myNewKey.pub -s -l user host

After entering the string shown above, you will be prompted for the password for " user@host". Your resulting output should look like the following:

Fingerprint: 88:6d:d1:6a:f8:d0:50:62:60:7b:1b:b3:d9:90:d5:81

Algorithm:   DSA

Comment:     This is my new key

List all public keys for "user" on "host"

c:\temp>vpka -s --auth password -l user host

After entering the string shown above, you will be prompted for the password for "user@host". Your resulting output should look like the following:

Fingerprint: 88:6d:d1:6a:f8:d0:50:62:60:7b:1b:b3:d9:90:d5:81

Algorithm:   DSA

Comment:     This is my new key

Remove public key based on fingerprint

vpka --auth password -f 88:6d:d1:6a:f8:d0:50:62:60:7b:1b:b3:d9:90:d5:81 -s -l user host

After entering the string shown above, you will be prompted for the password for "user@host".

Remove public key based on file

vpka --auth password -d c:\temp\myNewKey.pub -s -l user host

After entering the string shown above, you will be prompted for the password for "user@host".