vpka is a public-key assistant program which allows a user with no public key file on the server to upload a public key for use in authentication.
Using vpka
The following is the format for vpka commands:
vpka [options] hostname
Options
The following table lists the command-line options that can be used with vpka commands.
Option |
Argument |
Description |
-a |
key file |
The key file to add or upload to the public-key directory on the remote machine; multiple instances of this option are allowed. |
--accepthostkeys |
|
Instructs vpka to automatically accept host keys. Note: This option should be used with caution. If a host key has changed, it will invalidate the ability to detect a man-in-the-middle attack. |
--auth |
|
The authentication methods to be used in a comma separated list. Valid methods are keyboard-interactive, publickey, password, gss-ms-kerberos, and gssapi. |
-c |
cipher |
The cipher that the SSH2 server will use. Protocol strings or display strings are permitted. |
--check-crls |
|
Instructs the application to check certificate revocation lists (CRLs) to ensure that certificates (and any in its chain) have not been listed as revoked. |
-d |
key file |
The key file to delete from the remote machine. The specified key file must exist on the local machine for this option to work. If the file does not exist on the local machine, you must use the -f option to remove the key. Multiple instances of the -d option are allowed. |
-f |
fingerprint key |
The fingerprint key file to delete from the remote machine. This option can be used instead of the -d option when a key file does not exist on the local machine but the fingerprint is available. To view all the keys on the remote machine, use the -s option. Multiple instances of the -f option are allowed. |
--http-proxy |
hostname[:port] |
Specifies the http proxy to be used during connection. |
-i |
file |
The identity file to use for public-key authentication or a PKCS #12 file to use for X.509 authentication. vpka also supports accessing certificates through PKCS #11. The locator prefix (e.g., “pkcs11::”) and suffix (e.g., “::standard”) specify which public-key algorithm to use. To use this feature, specify a string similar to one of the following examples but using your PKCS #11 .dll file: pkcs11::prov=c:\windows\system32\opensc-pkcs11.dll pkcs11::prov=c:\windows\system32\pkcs11.dll::cert The above examples use the x509v3-sign-rsa algorithm. pkcs11::prov=c:\windows\system32\opensc-pkcs11.dll::standard The above example uses the x509v3-sign-rsa-sha1 algorithm. pkcs11key::prov=c:\windows\system32\pkcs11.dll The above example uses the ssh-rsa algorithm, which can be used to send the certificate as a raw key. |
--kex |
KEX |
Specifies which key exchange algorithm to use. Valid algorithms are diffie-hellman, diffie-hellman-group14, diffie-hellman-group, diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, Kerberos, and any OID in dotted number format) supported by the GSSAPI provider. |
-l |
username |
Specifies the remote username. |
-m |
MAC |
The MAC that the SSH2 server will use. |
--noprompt |
|
Fails if prompted for user input. |
-p |
port |
Specifies the port to be used during connection. |
--passphrase |
passphrase |
The passphrase for your private key. |
--pw |
password |
Your user password. |
-s |
|
Show all remote keys. |
--socks4 |
|
|
--socks5 |
|
|
--spn |
hostname |
Allows you to manually specify the SPN (Service Principal Name). The SPN is almost always of the form host@<server canonical name>. An example of a valid string is "host@mail.mydomain.com". If the server is in a different Kerberos realm, the realm name may need to be appended (e.g., host@mail.mydomain.com@KRBS.MYDOMAIN.COM. |
-v |
|
Displays verbose connection debug information. |
-z |
n |
The compression level (0-9). By default, the compression level is set to 5. Setting the level to 0 turns off compression. When compression is on, vpka attempts to use zlib@openssh.com, zlib, and no compression, in that order, when making a connection. |
|
|
Displays usage. |
Examples
The following are examples of vpka command-line use.
Upload your public key to "host" for "user"
vpka --auth password -a c:\ temp\myNewKey.pub -s -l user host
After entering the string shown above, you will be prompted for the password for " user@host". Your resulting output should look like the following:
Fingerprint: 88:6d:d1:6a:f8:d0:50:62:60:7b:1b:b3:d9:90:d5:81
Algorithm: DSA
Comment: This is my new key
List all public keys for "user" on "host"
c:\temp>vpka -s --auth password -l user host
After entering the string shown above, you will be prompted for the password for "user@host". Your resulting output should look like the following:
Fingerprint: 88:6d:d1:6a:f8:d0:50:62:60:7b:1b:b3:d9:90:d5:81
Algorithm: DSA
Comment: This is my new key
Remove public key based on fingerprint
vpka --auth password -f 88:6d:d1:6a:f8:d0:50:62:60:7b:1b:b3:d9:90:d5:81 -s -l user host
After entering the string shown above, you will be prompted for the password for "user@host".
Remove public key based on file
vpka --auth password -d c:\temp\myNewKey.pub -s -l user host
After entering the string shown above, you will be prompted for the password for "user@host".