Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Commands for performing password rotations on target systems.
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Commander
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Command: rotate or r
Detail: Rotate a record's password
To be eligible for rotation, a record must have the custom field 'cmdr:plugin'='noop'
Parameters:
Record name or UID to rotate
Switches:
--print display updated record content after rotation
--match <REGULAR EXPRESSION> select all records that match this expression to rotate
--password <NEW PASSWORD> sets a new password. Commander generates random password if switch omitted. Ignored when passwords are rotated with --match parameter.
Examples:
Rotate the password of the record titled "dev" in the "servers" folder
Rotate the password of the record with the given UID
Rotate the password of all records that end with "machine" (Using regex)
Rotate the password of the give record UID with the specific password provided
Command: set
Detail: Set an environment variable
Parameters:
environment name, value to set
format:
set <name> <value>
Examples:
Set the MySecret variable to XXX
Command: echo
Detail: Display environmental variables
Parameters:
argument to display (optional)
format:
echo ${<variable>}
If no argument is given, all environment variables are shown
Examples:
Display all currently set environment variables
Display the value for the MySecret variable
Rotate passwords on any remote system using Keeper Commander plugins
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Commander
Keeper Commander has a feature which can communicate to internal and external systems for the purpose of rotating a password and synchronizing the change to your Keeper Vault. We accomplish this by associating a Keeper record with a physical system through the use of custom fields. For example, you might want to rotate your MySQL password, Active Directory password and local Administrator password automatically.
Typed records add simplicity to Commander rotation. Commander can scan fields and make intelligent decisions about the rotation type, and connection details. Record types such as the standard "SSH Key" or "Server" types make it easy to create records that are ready for rotation.
Each rotation plugin has slightly different requirements, select from the list of plugins on the left nested under this page to learn more.
Commander will identify the type of rotation to use automatically based on the values supplied to the record. For example a record with a PORT value of 22 will use the SSH rotation plugin by default. The rotation plugin can also be specified during rotation or with a custom record field.
Optionally, any records can use custom fields as configuration for rotation. See table below for an example of custom fields.
Older, non-typed records require some additional setup in order to support Commander rotation.
To support a rotation plugin, simply add a set of custom field values to the Keeper record. The custom field values tell Commander which plugin to use, and what system to communicate with when rotating the password. To modify your Keeper record to include custom fields, login to Keeper on the or app.
Example custom fields for MySQL password rotation:
When a plugin is specified in a record, Commander will search in the plugins/ folder to load the module based on the name provided (e.g. mysql.py) then it will use the values of the Keeper record to connect, rotate the password and save the resulting data.
Check out the for all of the available plugins. Keeper's team adds new plugins on an ongoing basis. If you need a particular plugin created, send us an email to .
To activate a plugin for a particular Keeper record, you first need to update the custom fields for that record with special keywords that are used by Commander. See the specific plugin for the custom field requirements.
To perform a rotation use the rotate command.
Keeper's team is expanding the number of plugins on an ongoing basis. If you need a particular plugin created or modified, email us at .
Command
Explanation
rotate or r
Rotate the password in a record
set
Set environment variables that can be used for substitution within other commands or arguments
echo
Display environmental variables
rotate servers/dev
rotate BhRRhjeL4armInSMqv2_zQ --print
rotate --match [0-z]*\machine
rotate BhRRhjeL4armInSMqv2_zQ --password "XXX"set MySecret XXXecho
echo ${MySecret}Custom Field Name
Custom Field Value
cmdr:plugin
mysql
cmdr:host
192.168.1.55
cmdr:db
testing
Rotate Azure AD account passwords
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Commander
This plugin generates/rotates Azure AD password for any user.
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
Populate the 'Login' field of the Keeper record with the Azure login name
The following fields are required for Azure AD rotation. Create each field with the label indicated and supply the required information.
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
To rotate Azure passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)
After rotation is completed, the new password will be stored in the Password field of the record
Rotate PostgreSQL database passwords with Commander
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Navigate to new app registration page:
Azure portal -> Azure Active Directory -> App Registrations -> New Registration
Give a name to the application and leave Supported account type as "Accounts in this organizational directory only (Default Directory only - Single tenant)"
Click "Register"
Navigate to Roles and Administrators page:
Azure portal -> Azure Active Directory -> Roles and administrators
Search for Helpdesk Administrator role and click on it
Click on + Add assignments
Search for the application that was created above, select it, and click on "Add"
Navigate to Certificates & Secrets:
Azure portal -> Azure Active Directory -> App Registrations -> Select app that was created above -> Certificates & secrets
Under "Client secrets" click on + New client secret
Give description to a secret and click "Add"
Make sure to copy "Value" of the secret
cmdr:azure_secret
Displayed upon Registration of a new application (under Azure portal -> Azure Active Directory -> App Registrations -> New Registration.
cmdr:azure_client_id
Azure portal -> Azure Active Directory -> App Registrations -> [App name] -> Application (client) ID
cmdr:azure_tenant_id
Azure portal -> Azure Active Directory -> App Registrations -> [App name] -> Directory (tenant) ID
cmdr:azure_cloud
Optional. Azure Cloud. There are 4 physical Azure cloud locations
1. Global. Default location. Omit this property.
2. China
3. German
4. USGov
cmdr:plugin
azureadpwd
(Optional) Tells Commander to use Azure AD Key rotation. This should be either set to the record, or supplied to the rotation command
cmdr:rules
(Optional) password complexity rules
Commander KeeperPAM commands
This plugin allows rotating a user's password in PostgreSQL Server
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
Populate the 'Login' field of the Keeper record with the PostgreSQL login name
If using an untyped record, the host and port can be set to custom fields. See below.
Add a custom field to the record labeled "cmdr:db" and fill the field with the name of the database to use.
These fields can be added to affect the rotation
cmdr:plugin
postgresql
(Optional) Tells Commander to use PostgreSQL rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
Hostname of your PostgreSQL server. Legacy records require this custom field, typed records can use the hostname and port fields.
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
(Optional) Password generation rules
Custom Field Name
Custom Field Value
connect:xxx:env:PGPASSWORD
${password}
connect:xxx
psql --host=${cmdr:host} --port=${cmdr:port} --username=${login} --dbname=${cmdr:db} --no-password
Here's a screenshot of the Keeper Vault record for this use case:
Rotate AWS Passwords and Keys
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Commander
Rotation supports legacy and typed records. Additional fields may be added depending on the rotation type as well. See the instructions below.
To run a rotation of AWS Keys, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)
The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
After rotation is completed, the Access Key ID and Secret Key are stored in custom fields on the record with labels: cmdr:aws_key_id and cmdr:aws_key_secret.
Any Keeper user or Keeper Shared Folder associated with the record is updated instantly.
The 'Password' field is ignored when rotating keys
To run a rotation of AWS passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)
The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
The Password field of the Keeper record contains a new password to AWS account.
Automatic password rotation with Commander
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Commander
You can automate password resets using Commander plugins, with a custom Commander configuration file
Example:
In this example, we are telling Commander to first download and decrypt records, then rotate the password (record UID iaOXP1fnApRh5DbaRd7MWA) using the plugin programmed into the record. To locate the Record UID, simply view it on the commander interactive shell or view it on the Keeper Web Vault and Desktop App (as seen below).
Rotate and Connect to MySQL databases with Keeper Commander
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
pip install msalrotate "My Azure Credentials" --plugin azureadpwdpip3 install psycopg2-binary(Optional) if supplied, the password rotation plugin assumes this role. The role requires these permissions:
iam:DeleteAccessKey iam:CreateAccessKey iam:ListAccessKeys
cmdr:plugin
awskey
(Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command
cmdr:aws_profile
(Optional) AWS profile to use to login to AWS with
cmdr:aws_sync_profile
(Optional) if supplied, the AWS secret for the given profile will be updated to the AWS credentials file
cmdr:aws_assume_role
cmdr:aws_key_id
generated AWS Access Key ID
cmdr:aws_key_secret
generated AWS Secret Access Key
cmdr:plugin
awspswd
(Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command
cmdr:rules
(Optional) password complexity rules
cmdr:aws_profile
(Optional) AWS profile to use to login to AWS with
AWS Role ARN
pip3 install boto3pip3 install awscliaws configurerotate "My AWS Credentials" --plugin awskeyrotate "My AWS Credentials" --plugin awspswd{
"user":"[email protected]",
"password":"somereallystrongpassword",
"commands":["d", "r iaOXP1fnApRh5DbaRd7MWA"]
}Commander KeeperPAM commands
The MySQL Commander Plugin requires the PyMySQL plugin version 0.10.1 and does not support more recent versions.
Create a record using either the Keeper Vault UI, or Keeper Commander.
replace 'XXX' with the current database password for this user
cmdr:plugin
mysql
Tells Commander to use MySQL rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
Hostname of your MySQL server. This can be set here if not set in the record's host field
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
Password generation rules
For Commander versions greater than 4.88
For Commander versions 4.88 and before
Find the UID in the record information popup
Use the search command to find the UID for your record. Replace "MySQL Example" with the name of your record.
To rotate MySQL passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)
After rotation is completed, the new password will be stored in the Password field of the record
Custom Field Name
Custom Field Value
connect:xxx:env:MYSQL_PWD
${password}
connect:xxx
mysql -u${login} -h${cmdr:host}
Here's a screenshot of the Keeper Vault record for this use case:
cmdr:port
(Optional) PostgreSQL port. 5432 assumed if omitted
Rotate Oracle database passwords with Commander
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Commander
This plugin allows rotating a user's password in Oracle Database Server
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
To connect with DSN string:
To connect using database host and service name
Record Example:
To rotate Oracle passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)
After rotation is completed, the new password will be stored in the Password field of the record
Rotate SQL Server passwords
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
edit -r "MySQL Example" --custom '{"cmdr:plugin":"mysql", "cmdr:host":"SQL"}'edit "MySQL Example" --custom '{"cmdr:plugin":"mysql", "cmdr:host":"SQL"}'My Vault> search "MySQL Example"
# Record UID Type Title Login URL
--- ---------------------- ------ ------- ------- -----
1 am4TuwGrDpn8NhrGPBAWKw login rtt rotate
UID: am4TuwGrDpn8NhrGPBAWKw
Title: rtt
Login: rotate
text: ['mysql']
text: ['127.0.0.1']pip3 install -Iv PyMySQL==0.10.1rotate "MySQL Example" --plugin mssqlThis plugin allows rotating a user's password in Microsoft SQL Server
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
Commander will use these settings to connect.
Commander will use the password to login to perform the rotation
Create a Text type custom field labeled "cmdr:db" and fill in the name of the database to connect to.
Instead of using the fields above, custom fields can be added with the shown label
cmdr:plugin
mssql
Tells Commander to use Microsoft SQL Key rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
Hostname of your MSSQL server
cmdr:rules
'# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
Password generation rules
To rotate MSSQL passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)
After rotation is completed, the new password will be stored in the Password field of the record
cmdr:port
MySQL port. 3306 assumed if omitted This can be set here if not set in the record's host field
cmdr:user_host
User host. '%' assumed if omitted
cmdr:dsn
ex: "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=XE)))"
Oracle DSN string
cmdr:host
Hostname of your Oracle server
cmdr:db
Database service to connect to on Oracle server
cmdr:plugin
oracle
(Optional) Tells Commander to use Oracle rotation. This should be either set to the record, or supplied to the rotation command
Rotate remote admin passwords with PSPasswd
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Commander
This plugin provides IT Admins with the ability to rotate the password of a remote system's administrative local password. The password is rotated using the widely used "pspasswd" utility and the change is synchronized to a specific Keeper record in your vault.
The way this plugin is implemented requires that Commander and pspasswd is installed on the Domain Controller.
Assuming all computers are domain-attached and reachable from the Domain Controller, ensure that "Remote Service Management" is allowed for inbound in Domain by enabling the relevant Firewall rule on all computers.
On each of the target computers, go to Windows Firewall rules -> Inbound Rules -> and enabled the "Remote Service Management" rule.
Download the from Microsoft
Extract the PSTools.zip folder to a location on your computer
Add this PSTools folder to your user or system environmental variable "PATH"
(System Properties -> Advanced -> Environmental Variables)
Select PATH and then "Edit"
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
Populate the 'Login' field of the Keeper record with the login to use with this rotation.
If using an untyped record, the host and port can be set to custom fields. See below.
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
To rotate PSPasswd passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)
After rotation is completed, the new password will be stored in the Password field of the record
Active Directory plugin for Keeper Commander rotation
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Rotate Unix passwords with Commander
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
pip3 install pymssqlrotate "MSSQL Example" --plugin mssqladd type="databaseCredentials" title="MySQL Example" f.host.hostName="127.0.0.1" f.host.port="3306" f.login
="DBAdmin Smith" f.password="XXX"pip3 install oracledbrotate "Oracle Example" --plugin oracle
;C:\Users\craig\PSTools
On newer systems, just click "New" then type in the full path to the install, e.g.: C:\Users\craig\PSTools
cmdr:plugin
pspasswd
(Optional) Tells Commander to use PSPasswd rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
Hostname of Computer or Computers where the local account exists. This can be set here if not set in the record's host field
cmdr:rules
# uppercase, # lowercase, # numeric, # special
(e.g. 4,6,3,8)
(Optional) Password generation rules
rotate "My Azure Credentials" --plugin pspasswdCommander KeeperPAM commands
This plugin provides IT Admins with the ability to rotate the password of an Active Directory user account. This plugin can be run on any system that has network access to the AD server.
Rotation supports legacy and typed records. If using typed record, a 'Password' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
If using an untyped record, the host and port can be set to custom fields. See below.
The following fields are required for AD rotation. Create each field with the label indicated and supply the required information.
cmdr:use_ssl
True or False
Whether or not to use SSL connection to AD Server
cmdr:userdn
of the AD user you want to rotate the password on.
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
cmdr:plugin
adpasswd
cmdr:host
Host name or IP address of your AD Server
cmdr:port
Optional: Port number of your AD Server. Default value: 389
To rotate Active Directory passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)
If you get the error "Error during connection to AD server" try the following:
Ensure your AD supports secure bind via TLS. The certificate can be self-signed if needed.
Disable 'Minimum password age’ group policy. It is set to one day by default.
Verify connectivity to the host server, make sure it is accessible. Download a tool such as the Softerra LDAP Browser to test if you're able to connect to Active Directory.
Check that your Distinguished Name cmdr:userdn is set correctly. It needs to be exactly right or else the connection will fail. You can check the value of this from within the Softerra LDAP browser software or you can run the below command prompt utility on the AD Server:
For connecting as Craig in this scenario, make sure the cmdr:userdn custom field contains this exact string (without the quotes).
Microsoft Active Directory requires SSL connection in order to change the password. The following link explains how to setup a secure connection to Active Directory
This plugin allows rotating a local user's password using the Unix passwd command.
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
Populate the 'Login' field of the Keeper record with the login to use with this rotation.
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
Name
Value
Comment
cmdr:plugin
unixpasswd
(Optional) Tells Commander to use Unix password rotation. This should be either set to the record, or supplied to the rotation command
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
(Optional) Password generation rules
To rotate Unix passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)
After rotation is completed, the new password will be stored in the Password field of the record
Rotate SSH keys with Commander
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Commander
The SSH plugin for Keeper Commander gives you the ability to generate and rotate SSH keys to one or more target systems, or rotate any local or remote user's Unix/Linux password.
This plugin requires OpenSSL and OpenSSH packages to be installed on the computer running Keeper Commander.
To verify Installation, open the Terminal application and make sure 'openssl' and 'ssh' commands are installed and accessible with the system PATH environment variable.
Plugin name: ssh
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
The standard "SSH Key" record type is a good fit for SSH rotations.
If using an untyped record, the host and port can be set to custom fields. See below.
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
When setting up this plugin for the first time please use the following steps:
Populate the Title, Login, and Hostname or IP and Port fields of the Keeper record.
Execute the rotate command on the Keeper shell for this record. Commander will generate the public and private keys and store them in the record. Copy or save the public key and save this to the file .ssh/authorized_keys in the target hosts - this step must be done manually the first time or you can use the ssh-copy-id unix command.
Make sure to set the permissions of the authorized_keys file on the target system. chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
Execute rotate command on Keeper shell to perform a full rotation. If successful, the target hosts will be updated with the newly generated public key and the Keeper record will be updated with the private/public key pair.
To rotate SSH passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)
pip3 install ldap3rotate "AD Password Rotator" --plugin adpasswdC:\Users\craig>dsquery user -name Craig*
"CN=Craig Lurey,CN=Users,DC=keeper,DC=test,DC=keepersecurity,DC=com"pip3 install pexpectrotate "My Azure Credentials" --plugin unixcmdr:rules
Optional password complexity rules
cmdr:plugin
sshkey | ssh
(Optional) Tells Commander to use ssh key or ssh password rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
(Optional) Host name or IP address of target server. Can be added as a custom field if not entered as a record field
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
(Optional) Password generation rules
rotate "SSH Credentials" --plugin sshkeyrotate "SSH Credentials" --plugin ssh
Rotate Windows user passwords with Commander
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Commander
This plugin allows rotating a windows user's password using the net user command.
Rotation supports legacy and typed records. If using typed record, a 'login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
Populate the 'Login' field of the Keeper record with the login to use with this rotation.
This plugin rotates passwords for both local and Active Directory accounts. When rotating Active Directory password use DOMAIN\USERNAME syntax for Login field.
To rotate Windows passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)
After rotation is completed, the new password will be stored in the Password field of the record
cmdr:plugin
windows
(Optional) Tells Commander to use Windows rotation. This should be either set to the record, or supplied to the rotation command
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
(Optional) Password generation rules
rotate "Windows Example" --plugin windows
