LogoLogo
KeeperPAM and Secrets Manager
KeeperPAM and Secrets Manager
  • KeeperPAM
  • Privileged Access Manager
    • Setup Steps
    • Quick Start: Sandbox
    • Getting Started
      • Architecture
        • Architecture Diagram
        • Vault Security
        • Router Security
        • Gateway Security
        • Connection and Tunnel Security
      • KeeperPAM Licensing
      • Enforcement Policies
      • Vault Structure
      • Record Linking
      • Applications
      • Devices
      • Gateways
        • Creating a Gateway
        • Docker Installation
        • Linux Installation
        • Windows Installation
        • Auto Updater
        • Sharing Gateways
        • Alerts and SIEM Integration
        • Advanced Configuration
          • Gateway Configuration with AWS KMS
          • Gateway Configuration with Custom Fields
      • PAM Configuration
        • AWS Environment Setup
        • Azure Environment Setup
        • Local Environment Setup
      • PAM Resources
        • PAM Machine
          • Example: Linux Machine
          • Example: Azure Windows VM
        • PAM Database
          • Example: MySQL Database
          • Example: PostgreSQL Database
          • Example: Microsoft SQL Server Database
        • PAM Directory
        • PAM Remote Browser
        • PAM User
      • Access Controls
      • Just-In-Time Access (JIT)
    • Password Rotation
      • Rotation Overview
      • Rotation Use Cases
        • Local Network
          • Active Directory or OpenLDAP User
          • Windows User
          • Linux User
          • macOS User
          • Database
            • Native MySQL
            • Native MariaDB
            • Native PostgreSQL
            • Native MongoDB
            • Native MS SQL Server
            • Native Oracle
        • Azure
          • Azure AD Users
          • Azure VM User Accounts
          • Azure Managed Database
            • Azure SQL
            • Azure MySQL - Single or Flexible Database
            • Azure MariaDB Database
            • Azure PostgreSQL - Single or Flexible Database
          • Azure App Secret Rotation
        • AWS
          • IAM User Password
          • Managed Microsoft AD User
          • EC2 Virtual Machine User
          • IAM User Access Key
          • Managed Database
            • AWS RDS for MySQL
            • AWS RDS for SQL Server
            • AWS RDS for PostgreSQL
            • AWS RDS for MariaDB
            • AWS RDS for Oracle
        • SaaS Rotation Plugins
        • Custom Scripts
          • Okta User
          • Snowflake User
          • Rotate Credential via REST API
          • Cisco IOS XE
          • Cisco Meraki
      • Service Management
      • Post-Rotation Scripts
        • Inputs and Outputs
        • Attaching Scripts
        • Code Examples
    • Connections
      • Getting Started
      • Session Protocols
        • SSH Connections
        • RDP Connections
        • MySQL Connections
        • SQL Server Connections
        • PostgreSQL Connections
        • VNC Connections
        • Telnet Connections
        • Kubernetes
        • RBI Connections
      • Examples
        • SSH Protocol - Linux Machine
        • RDP Protocol - Azure Virtual Machine
        • MySQL Protocol - MySQL Database
        • PostgreSQL Protocol - PostgreSQL Database
    • Tunnels
      • Setting up Tunnels
    • Remote Browser Isolation
      • Setting up RBI
        • URL Patterns & Resource URL Patterns
        • Browser Autofill
    • Session Recording & Playback
    • SSH Agent
      • Integration with Git
    • Discovery
      • Discovery Basics
      • Discovery using Commander
      • Discovery using the Vault
    • KeeperAI
    • On-Prem Connection Manager
    • References
      • Port Mapping
      • Setting up SSH
      • Setting up WinRM
      • Gateway Network Configuration
      • Setting up SQL Server
      • Database Import and Export
      • Installing sqlcmd on Linux
      • Installing Docker on Linux
      • Creating KSM App for Rotation
      • Active Directory Least Privilege
      • Event Reporting
      • Importing PAM Records
      • Managing Rotation via CLI
      • ITSM Integration
      • Vendor Privileged Access Management
      • Commander SDK
      • Cron Spec
      • Preview Access
  • Endpoint Privilege Manager
    • Overview
    • Setup
    • Deployment
    • Collections
    • Policies
      • Example Policies
    • Managing Requests
  • Best Practices
  • FAQs
  • Secrets Manager
    • Secrets Manager Overview
    • Quick Start Guide
    • About KSM
      • Architecture
      • Terminology
      • Security & Encryption Model
      • One Time Access Token
      • Secrets Manager Configuration
      • Sharing Secrets Manager Applications
      • Keeper Notation
      • Event Reporting
      • Field/Record Types
    • Secrets Manager CLI
      • Profile Command
      • Init Command
      • Secret Command
      • Folder Command
      • Sync Command
      • Exec Command
      • Config Command
      • Version Command
      • Misc Commands
      • Docker Container
      • Custom Record Types
    • Password Rotation
    • Developer SDKs
      • Python SDK
      • Java/Kotlin SDK
        • Record Field Classes
      • JavaScript SDK
      • .NET SDK
      • Go SDK
        • Record Field Classes
      • PowerShell
      • Vault SDKs
    • Integrations
      • Ansible
        • Ansible Plugin
        • Ansible Tower
      • AWS CLI Credential Process
      • AWS Secrets Manager Sync
      • AWS KMS Encryption
      • Azure DevOps Extension
      • Azure Key Vault Sync
      • Azure Key Vault Encryption
      • Bitbucket Plugin
      • Docker Image
      • Docker Runtime
      • Docker Writer Image
      • Entrust HSM Encryption
      • Git - Sign Commits with SSH
      • GitHub Actions
      • GitLab
      • Google Cloud Secret Manager Sync
      • Google Cloud Key Management Encryption
      • Hashicorp Vault
      • Heroku
      • Jenkins Plugin
      • Keeper Connection Manager
      • Kubernetes External Secrets Operator
      • Kubernetes (alternative)
      • Linux Keyring
      • Model Context Protocol (MCP) for AI Agents (Docker)
      • Model Context Protocol (MCP) for AI Agents (Node)
      • Octopus Deploy
      • Oracle Key Vault Encryption
      • PowerShell Plugin
      • ServiceNow
      • TeamCity
      • Teller
      • Terraform Plugin
        • Terraform Registry
      • Windows Credential Manager
      • XSOAR
    • Troubleshooting
  • Commander CLI
    • Commander Overview
    • Installation and Setup
      • CLI Installation on Windows
      • CLI Installation on macOS
      • CLI Installation on Linux
      • Python Developer Setup
      • .NET Developer Setup
      • PowerShell Module
      • Logging in
      • Configuration and Usage
        • AWS Secrets Manager
        • AWS Key Management Service
      • Automating with Windows Task
      • Automating with AWS Lambda
      • Uninstallation
    • Command Reference
      • Import and Export Data
        • Import/Export Commands
        • CyberArk Import
        • LastPass Data Import
        • Delinea / Thycotic Secret Server Import
        • Keepass Import
        • ManageEngine Import
        • Myki Import
        • Proton Pass Import
        • CSV Import
        • JSON Import
      • Reporting Commands
        • Report Types
      • Enterprise Management Commands
        • Creating and Inviting Users
        • Compliance Commands
        • Breachwatch Commands
        • SCIM Push Configuration
      • Record Commands
        • Record Type Commands
        • Creating Record Types
      • Sharing Commands
      • KeeperPAM Commands
      • Connection Commands
        • SSH
        • SSH Agent
        • RDP
        • Connect Command
        • SFTP Sync
      • Secrets Manager Commands
      • MSP Management Commands
      • Miscellaneous Commands
      • Password Rotation
        • Password Rotation Commands
        • AWS Plugin
        • Azure Plugin
        • Microsoft SQL Server Plugin
        • MySQL Plugin
        • Oracle Plugin
        • PostgreSQL Plugin
        • PSPasswd Plugin
        • SSH Plugin
        • Unix Passwd Plugin
        • Windows Plugin
        • Active Directory Plugin
        • Automatic Execution
    • Service Mode REST API
    • Troubleshooting
Powered by GitBook

Company

  • Keeper Home
  • About Us
  • Careers
  • Security

Support

  • Help Center
  • Contact Sales
  • System Status
  • Terms of Use

Solutions

  • Enterprise Password Management
  • Business Password Management
  • Privileged Access Management
  • Public Sector

Pricing

  • Business and Enterprise
  • Personal and Family
  • Student
  • Military and Medical

© 2025 Keeper Security, Inc.

On this page
  • First Login on a New Device
  • Logging in with a Master Password
  • Logging in With 2FA
  • Logging in with a Proxy
  • Enterprise SSO Login
  • Device Approval with SSO Login
  • Use a Master Password with SSO Login
  • Persistent Login Sessions ("Stay Logged In")
  • Working with Commander

Was this helpful?

Export as PDF
  1. Commander CLI
  2. Installation and Setup

Logging in

How to login and use the Keeper Commander CLI

First Login on a New Device

To login to Commander for the first time, click the Keeper Commander icon or open a shell and type:

keeper shell

Set Server

The Keeper Commander CLI will default to the US data center. To change regions, use the server command:

US: server US EU: server EU AU: server AU CA: server CA JP: server JP GovCloud: server GOV

Use "server" command to change Keeper region > "server US"
	US: keepersecurity.com
	EU: keepersecurity.eu
	AU: keepersecurity.com.au
	CA: keepersecurity.ca
	JP: keepersecurity.jp
	GOV: govcloud.keepersecurity.us
To login type: login <email>

Login to the shell by typing login. If this is your first login, you will need to follow the device approval workflow. This is only needed once, as an extra layer of security to trust the device you are on.

First Login Example

Not logged in> login
...      User(Email): yourname@email.com
Logging in to Keeper Commander

Device Approval Required
Approve by selecting a method below:
        "email_send" to send email
        "email_code=<code>" to validate verification code sent via email
        "keeper_push" to send Keeper Push notification
        "2fa_send" to send 2FA code
        "2fa_code=<code>" to validate a code provided by 2FA application
        "approval_check" check for device approval
Type your selection: 
  • If you wish to approve via email:

    • Type email_send or es

    • Enter the security code with email_code=<code>

  • If you wish to approve via Keeper Push:

    • Type keeper_push

    • Approve via push

    • Then type approval_check

  • If you wish to approve via 2fa code:

    • Input 2fa_send

    • Then input 2fa_code=<code>

Once complete you will receive the following message:

Device was approved

Logging in with a Master Password

After device approval, you will immediately move to the login process, or if you previously approved the device, this will be the first step.

Master Password Login Example

Not logged in> login
...      User(Email): yourname@email.com
Logging in to Keeper Commander
Enter password for yourname@email.com
Password: *********

Successfully authenticated with Login V3 (Password)
Syncing...
Decrypted [23] record(s)
My Vault>

Logging in With 2FA

If you have 2FA enforced on your account, you will be required to pass the 2FA step before logging in with a Master Password. Your login flow in commander will follow the same rules you have for logging into the Vault.

Login Example with 2FA

Not logged in> login
...      User(Email): yourname@email.com
Logging in to Keeper Commander
This account requires 2FA Authentication
     U2F (FIDO Security Key)
     Send SMS Code
  3. TOTP (Google Authenticator) [ ENABLED ]
     DUO
Selection:

Each 2FA method that is enabled will have a number next to it.

In this example, only TOTP is enabled, so 3 would need to be entered, followed by the TOTP code. Enter the corresponding number to proceed:

Selection: 3

Enter 2FA Code or Duration: 2fa_duration=forever
Enter 2FA Code or Duration: 123456

By default, Keeper Commander prompts for 2FA code on every login. To store 2FA authentication for this device either for 30 days or forever, type one of the following before entering the code:

  • 2fa_duration=30_days to prompt for 2FA every 30 days, or...

  • 2fa_duration=forever to never prompt again on this device

Logging in with a Proxy

If your network configuration requires using a proxy server you can use the proxy command before logging in.

My Vault> proxy -h                                                                                                                              
usage: proxy [-h] [-a {list,add,remove}] [schema://[user:password@]host:port]

Sets proxy server

positional arguments:
  schema://[user:password@]host:port
                        "add": proxy address. Schemas are "socks5h", "http", "socks4", etc

optional arguments:
  -h, --help            show this help message and exit
  -a {list,add,remove}, --action {list,add,remove}
                        action

Enterprise SSO Login

If SSO is configured for your Keeper enterprise, the following screen will appear for users that login to Commander:

Not logged in> login
...      User(Email): yourname@email.com
Logging in to Keeper Commander

SSO Login URL:
https://keepersecurity.com/api/rest/sso/saml/login/xxx

Navigate to SSO Login URL with your browser and complete login.
Copy a returned SSO Token into clipboard.
Paste that token into Commander

  a. SSO User with a Master Password
  c. Copy SSO Login URL to clipboard
  o. Navigate to SSO Login URL with the default web browser
  p. Paste SSO Token from clipboard
  q. Quit SSO login attempt and return to Commander prompt
  
Selection:

To login to Commander using SSO, you will need to paste a token provided by the SSO provider from your web browser into Commander. To receive the SSO token, follow these steps:

SSO Login Using Default Browser

To have Commander automatically open the default browser to the SSO Connect page, enter "o" in the SSO selection and hit Enter

The default browser for your system will open to the SSO Connect page.

Depending on your operating system, settings, and administrator privileges, Commander may be unable to open the web browser, in this case use the following option to open the SSO Connect screen.

SSO Login Using Pasted Token

You can copy the URL to your SSO's logins screen from the SSO Connect text in Commander, or enter "c" in the SSO selection and hit Enter to copy the URL to your clipboard.

SSO Login URL:
https://keepersecurity.com/api/rest/sso/saml/login/xxx

Once the URL is copied, paste it into a web browser to navigate to the SSO Connect page.

After a successful SSO login, the web page will show a yellow "Copy" button. Click the button to copy the token.

Paste the SSO Token

Once the token has been copied, go back to Commander to complete the SSO login.

In Commander enter "p" in the SSO selection screen and hit Enter to paste the token from your clipboard into Commander and complete SSO login.

What if There is No "Copy login token" Button?

In some cases, the "Copy login token" button may not appear. This depends on your SSO setup and Commander version. In this case, the SSO token will need to be manually copied from the web page source.

The page will remain in a loading state (with spinning icon) to give you time to find and copy the token. Though the spinning icon appears to be loading, the page will not change.

Once you have opened the SSO Connect page in the browser, follow these instructions to copy the SSO token:

Right click the web page and select "View Page Source"

With the page source open, search for "var token" and copy the token that follows that text.

Be sure to copy all text between the quotation marks (") without copying the quotation marks themselves. Note that the token is longer than the page shows.

There are two possible formats that the token could have for SSO login

The token is a long quoted string

var token = "aQwDh&r[...]"

In this case copy everything within the quotation marks

The token is a json object

var token = {'result':'success', 'password':"d8!xe3[...]"}

in this case, copy the entire object including the curly brackets

Once the token has been copied, go back to Commander to complete the SSO login.

In Commander enter "p" in the SSO selection screen and hit Enter to paste the token from your clipboard into Commander and complete SSO login.

Device Approval with SSO Login

If device approval is turned on for your account, the device approval selection will be shown after the first SSO login.

Approve this device by selecting a method below:
  1. Keeper Push. Send a push notification to your device.
  2. Admin Approval. Request your admin to approve this device.
  r. Resume SSO login after device is approved.
  q. Quit SSO login attempt and return to Commander prompt.
Selection: 

Enter your selection and hit Enter to continue with device approval.

1 : Approve with Keeper Push

2 : Approve with Admin Approval

r : Resume SSO login after the device has been approved

See First Login on a New Device section for more details on device approval.

Use a Master Password with SSO Login

Customers who normally login to their Keeper Vault using Enterprise SSO Login (SAML 2.0) can also login to Keeper Commander using a Master Password. To make use of this capability, it must be enabled by the Keeper Administrator and then configured by the user. The steps are below:

Login to the Keeper Admin Console

As the admin, login to the Keeper Admin Console as you normally do.

Enable SSO Master Password Policy

For the User/Role who will be accessing Keeper Commander, open the Role Enforcement Policy setting screen. Enable the option "Allow users who login with SSO to create a Master Password"

Login to the End-User Vault using SSO

As the user who will be using Commander, login to the Keeper Web Vault or Keeper Desktop app with your SSO provider as you normally do.

Create a Master Password

Visit the Settings > General screen and setup a Master Password

After the Master Password is created, you are now able to login to Keeper Commander.

Optional: Force SSO Master Password Login in Configuration File

Add the following line to your configuration file.

{ ...
    "sso_master_password": true,
...}

Persistent Login Sessions ("Stay Logged In")

Commander can be configured to stay logged in between sessions, and you can also configure how long the device will remain logged in without activity. This feature is referred to as persistent login or "Stay Logged In" in the Vault UI.

Use the this-device command to set your preferences.

Example:

My Vault> this-device
                     Device Name: Commander CLI on macOS
                Data Key Present: missing
                 IP Auto Approve: OFF
                Persistent Login: OFF
           Device Logout Timeout: 1 hour
       Enterprise Logout Timeout: 7 days
        Effective Logout Timeout: 1 hour
                     Is SSO User: True

To enable "Stay Logged In" so that you're not prompted for authentication, use these commands:

My Vault> this-device persistent-login on 
My Vault> this-device register

If persistent login is enabled, you won't be prompted to authenticate the next time you run Commander:

user@mycomputer ~ % keeper shell
Logging in to Keeper Commander
Successfully authenticated with Persistent Login

Changing persistent-login ("stay logged in") affects all devices that you use with Keeper

To set the inactivity logout timer to a certain number of minutes:

My Vault> this-device timeout 600
Successfully set "logout_timer" to 10 hours.

Working with Commander

PreviousPowerShell ModuleNextConfiguration and Usage

Last updated 2 months ago

Was this helpful?

Keeper Commander – Accessing and Working with Your Vault
SSO Login success screen
SSO Master Password Policy
The SSO token highlighted
Right click menu with "View page source" highlighted