SSH Plugin

Rotate SSH keys with Commander

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

The SSH plugin for Keeper Commander gives you the ability to generate and rotate SSH keys to one or more target systems, or rotate any local or remote user's Unix/Linux password.

Prerequisites

SSH Key Rotation

Install OpenSSL and OpenSSH

This plugin requires OpenSSL and OpenSSH packages to be installed on the computer running Keeper Commander.

To verify Installation, open the Terminal application and make sure 'openssl' and 'ssh' commands are installed and accessible with the system PATH environment variable.

SSH Password Rotation

Plugin name: ssh

Prepare a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

The standard "SSH Key" record type is a good fit for SSH rotations.

See the Troubleshooting section for more information on legacy vs typed records

Set the Login Name

Populate the 'Login' field of the Keeper record with the target system(s) login name

Set the Hostname and Port

If using an untyped record, the host and port can be set to custom fields. See below.

TIP: If no rotation plugin is specified, Commander will use the port number to guess which rotation to use. Port 22 will use SSH rotation

Additional Rotation Settings

The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

Label
Value
Comment

cmdr:plugin

sshkey | ssh

(Optional) Tells Commander to use ssh key or ssh password rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

(Optional) Host name or IP address of target server. Can be added as a custom field if not entered as a record field

cmdr:rules

# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

(Optional) Password generation rules

For SSH Key rotation, In order to automate the rotation of the public key on the target server, the public key must be manually updated one time in .ssh/authorized_keys on the target host(s).

After it has been set this first time, subsequent rotations will be automated and updated by Commander.

Rotate

SSH Key Rotation

First Time Setup and Run

When setting up this plugin for the first time please use the following steps:

1. Populate Keeper Record

Populate the Title, Login, and Hostname or IP and Port fields of the Keeper record.

2. Execute rotate command and store public key

Execute the rotate command on the Keeper shell for this record. Commander will generate the public and private keys and store them in the record. Copy or save the public key and save this to the file .ssh/authorized_keys in the target hosts - this step must be done manually the first time or you can use the ssh-copy-id unix command.

Make sure to set the permissions of the authorized_keys file on the target system. chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys

3. Execute key rotation

Execute rotate command on Keeper shell to perform a full rotation. If successful, the target hosts will be updated with the newly generated public key and the Keeper record will be updated with the private/public key pair.

rotate "SSH Credentials" --plugin sshkey

This plugin makes an assumption that the target system uses the default settings for SSH service, i.e. authorized_keys file is located in the .ssh directory of the user HOME directory.

For more information on the rotate command see documentation

SSH Passwords Rotation

To rotate SSH passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "SSH Credentials" --plugin ssh

The plugin can be supplied to the command as shown here, or added to a record field (see options above). If not supplied, Commander will use the port field to identify which plugin to use. In this case port 22 means the ssh plugin is used. Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

PreviousPSPasswd PluginNextUnix Passwd Plugin

Last updated

Was this helpful?