All pages
Powered by GitBook
1 of 6

Connection Commands

About

Commander can use credentials from your vault to facilitate connections directly from the CLI.

See the nested pages for more information on Commander's connection capability.

SSHSSH AgentRDPConnect CommandSFTP Sync

SSH

Using Keeper Commander with SSH connections

For a full remote connection management tool that supports privileged sessions, session recording and other advanced capabilities over zero-trust cloud connections, we recommend using our KeeperPAM platform.

This SSH capability described in Commander uses direct line-of-sight SSH connections.

SSH

Keeper Commander can launch SSH connections utilizing content and metadata stored in a Keeper Vault record. The ssh command is used to make SSH connections. To use this command, pass it a record that holds the SSH connection details.

ssh command

Command: ssh

Detail: Establishes connection to external server using SSH.

Parameters:

record UID or path to a record

The SSH command is compatible with "SSH Key" and "Server" type records.

optionally a SSH endpoint in the following format:

LOGIN@HOST[:PORT]

If no record is provided to the ssh command, all the compatible records in your vault will be listed

Examples

Make a connection

ssh qTUzddtffRvsS1L8_ytO1A

See compatible records

My Vault> ssh
  #  Record UID              Type               Title                     Description
---  ----------------------  -----------------  ------------------------  -----------------------------------
  1  xwwCv4We6JqYaw3qMdykYw  serverCredentials  Connection                My_Login @ 10.0.160.7:3389
  2  qTUzddtffRvsS1L8_ytO1A  sshKeys            SSH Connection            My_Connection_Login @ 10.0.160.7:22

SSH Agent

Commander can run an SSH Agent service for establishing remote connections.

For a full remote connection management tool that supports privileged sessions, session recording and other advanced capabilities over zero-trust cloud connections, we recommend using our KeeperPAM platform.

This SSH Agent described in Commander uses direct line-of-sight SSH connections. The KeeperPAM platform includes an SSH Agent within the Keeper Desktop application.

SSH Agent

The ssh-agent command is used to load up all of the SSH keys in the vault and start an SSH Agent service. SSH connections can be seamlessly established directly using the Keeper Commander SSH Agent without having to store keys on the local filesystem. SSH connections can then be established using any standard terminal.

The SSH agent service scans all records in the Keeper Vault based on different criteria such as:

  • A record type "SSH Key" or "Server" with a private key and optional password/passphrase

  • Any record with a single SSH key file attachment

ssh-agent command

Command: ssh-agent

Detail: Starts a local SSH Agent process on the local computer using keys from the vault.

Options:

  • start: Starts the SSH Agent service and loads up all keys

  • stop: Stops the SSH Agent service

  • info: Displays SSH Agent status

  • log: Displays connection log history

Examples

Starting the SSH Agent Service from the Commander CLI

ssh-agent start

Directly starting the SSH Agent without the shell:

keeper ssh-agent start

To use the SSH Agent from your favorite terminal or connection tool, the environmental variable SSH_AUTH_SOCK must be set in the terminal or in your startup file. For example.... export SSH_AUTH_SOCK=~/.keeper/me@demo.com.ssh_agent Then, simply SSH from your terminal: $ ssh <host>

Stopping the SSH Agent service

ssh-agent stop

RDP

Using Keeper Commander with RDP connections

For a full remote connection management tool that supports privileged sessions, session recording and other advanced capabilities over zero-trust cloud connections, we recommend using our KeeperPAM platform.

This RDP command described in Commander uses direct line-of-sight RDP connections.

RDP command

Keeper Commander can launch RDP connections utilizing content and metadata stored in a Keeper Vault record. The rdp command is used to make connections. To use this command, pass it a record that holds the RDP connection details.

Command: rdp

Detail: Establishes RDP connection to remote Windows servers. This command is only available on Windows machines running Commander.

Parameters:

record UID or path to a record

The RDP command is compatible with "Server" type records on Windows machines.

If no record is provided to the rdp command, all the compatible records in your vault will be listed

Examples

Make a connection

rdp xwwCv4W3dJqYa22qMdykYw

See compatible records

My Vault> rdp
  #  Record UID              Type               Title                     Description
---  ----------------------  -----------------  ------------------------  ------------------------------
  1  xwwCv4W3dJqYa22qMdykYw  serverCredentials  RDP Connection            My_RDP_Login @ 10.0.161.7:3389

Connect Command

Connect to RDP and SSH servers from the Commander CLI

The connect command is deprecated from Commander versions 16.5.8 and later.

For a full remote connection management tool that supports privileged sessions, session recording and other advanced capabilities over zero-trust cloud connections, we recommend using our KeeperPAM platform.

This "Connect" command described in Commander uses direct line-of-sight access.

Connect Command

Using the connect command, Keeper Commander can launch SSH, RDP or other types of connections utilizing content and metadata stored in the Keeper Vault record. Command-line parameters and environmental variables can be supplied through custom fields and file attachments.

The connect command reads the record's custom fields with names starting with "connect:".

connect command:

Command: connect

Detail: Connect directly to a server Using SSH, RDP, or other protocol.

Parameters:

Endpoint name or full record path to endpoint

Switches:

--syntax-help see help for command and template parameters

-n, --new request per-user data

-s, --sort <{endpoint, title, folder}> choose field to sort by

-f, --filter <FILTER BY> filter output

Examples

SSH to a Server via Gateway

In this example, we are showing how to connect to a server through a SSH gateway. The following custom fields are set inside a Keeper record:

Custom Field Name

Custom Field Value

connect:xxx:description

Production Server via Gateway

connect:xxx

ssh -o "ProxyCommand ssh -i ${file:gateway.pem} ec2-user@gateway -W %h:%p" -i ${file:server.pem} ec2-user@server

File Attachment

gateway.pem

File Attachment

server.pem

xxx refers to the friendly name which can be referenced when connecting on the command line.

To connect to a server, simply run the below command:

My Vault> connect my_server
Connecting to my_server...

Last login: Sat Sep 28 00:25:34 2019 from 12.23.34.5
ec2-user@my_server:~$ 
ec2-user@my_server:~$ logout
Connection to my_server closed.
My Vault>

If the SSH private key is encrypted with a passphrase, you will be prompted every time to type in the passphrase. To avoid this, we recommend using the SSH Agent variation described in the next section.

SSH using SSH Agent

Commander can integrate with the local SSH agent to register RSA private keys. This eliminates the need for you to type in the SSH passphrase every time you connect to the remote system. Commander uses the SSH_AUTH_SOCK environment variable on Mac OS / Linux systems. The PowerShell OpenSSH implementation is supported on Windows systems.

To enable integration with ssh-agent ensure that SSH_AUTH_SOCK environment variable is set on Posix compatible systems. For Microsoft Windows, ensure the SSH Agent system service is running. Keeper's connect command uses SSH Agent to temporarily store the private key used in the connection session. After the session disconnects, the private key is removed.

To utilize SSH Agent for connecting to a remote system, simply add one additional custom field to the Vault record:

Custom Field Name

Custom Field Value

connect:xxx:ssh-key:yyy

${zzz} ${password}

or SSH key is stored in the file attachment

Custom Field Name

Custom Field Value

connect:xxx:ssh-key:yyy

${body:zzz} ${password}

or Reference to the record of SSH Key Type

Custom Field Name
Custom Field Value

connect:xxx:ssh-key:yyy

<RECORD UID>

Here, xxx is the friendly name of the connection. yyy is an optional key name used with the SSH agent. zzz references either the custom field (see the first screenshot below) or file attachment (see the second screenshot).

In this example, the first parameter references the private key, the second parameter references the passphrase used to encrypt the private key.

${password} references the value stored in the record's Password field.

Connecting to the remote system using an encrypted passphrase is easy. In our example, to connect to the server called "example2":

My Vault> connect example2
Connecting to example2...

Last login: Sat Sep 28 00:25:34 2019 from 12.23.34.5
craig@example2:~$ 
craig@example2:~$ logout
Connection to example2 closed.
My Vault>

ssh-agent command

The ssh-agent command can be used to manage the ssh agent within Commander.

Sub-commands:

  • start - start the ssh agent

  • stop - stop the ssh agent

  • info - see the status of the ssh agent

  • log - see the ssh agent logs

Remote Desktop (RDP) Launcher Example

To connect seamlessly to a remote windows server using the standard Microsoft Remote Desktop application, Keeper executes a command pre-login, login, and post-login via system calls. In this example, the "pre-login" command stores the password temporarily in the Windows credential manager for the current user. The "login" command initiates the connection using an RDP template file and the stored credentials (the RDP template file is optional). Upon session termination, the "post login" command is executed that deletes the password from the credential manager.

Vault Record Fields:

Custom Field Name

Custom Field Value

connect:rdp_demo:description

Remote connection to Demo Server

connect:rdp_demo:pre

cmdkey /generic:12.34.56.78 /user:${login} /pass:${password} > NUL

connect:rdp_demo

mstsc ${file:Default.rdp}

connect:rdp_demo:post

cmdkey /delete:12.34.56.78 > NUL

File Attachment

Default.rdp

Note: The Default.rdp file is saved from Remote Desktop Connection with your desired configuration.

Supported parameter substitutions

You can customize the commands with parameter substitutions described below:

${user_email}: Email address of Keeper user 
${login}: Record login field
${password}: Record password field
${text:<name>}: Custom per-user variable, prompted for value, not shared 
${mask:<name>}: Custom per-user variable, prompted for value, not shared 
${file:<attachment_name>}: Stored in temp file during use and deleted after connection close,
${body:<attachment_name>}: Raw content of the attachment file.

Listing all available connections

To get a list of available connections, type:

My Vault> connect

Initiating connections

To initiate a connection (using the SSH/RDP examples) from Commander simply type:

My Vault> connect my_server

or

My Vault> connect rdp_demo

Alternatively, you can execute the connection from the terminal without the interactive shell:

$ keeper connect my_server

Notes:

  • A single vault record can contain any number of connection references, or the connections can be separated one per record.

  • If a system command requires user interaction (e.g. if a passphrase is included on an SSH key file), Commander will prompt for input.

  • Just like any other Keeper vault record, a connection record can be shared among a team, shared to another Keeper user or remain private.

SFTP Sync

Sync files from a SFTP server with credentials in the Keeper Vault

About

Use credentials stored in the Keeper Vault to facilitate a connection to your FTP server, then Commander can automatically download files from the server to a specified location on your machine.

Secure your SFTP credentials, or automate file download or backup with Commander.

Sync Files

To use the Commander SFTP sync, utilize the rsync command

First Time Setup

The first time you run the SFTP sync, you need to provide the plugin type, path to remote files, and credentials record to use.

--plugin the plugin type to use (use SFTP)

--remote-path path to files you want to download in the SFTP directory

--record UID or path to record that holds the SFTP credentials

Example:

rsync "path/to/files_location/" --plugin sftp --remote-path "/path/to/files" --record "credentials/SFTP creds"

Once you have specified these options once, Commander will retain the settings by saving them to the record you provided. Subsequent SFTP syncs can be run by only providing the location to download files to.

rsync "path/to/files_location/"

Automating Sync

Commander can be automated in a number of ways. See the Batch Mode documentation for more information. This section will cover an example of automating the SFTP sync.

Run Recurring SFTP Sync

Commander can be configured to run commands on a given cadence by editing the Commander configuration file.

After you have run the first time setup for the SFTP sync, Commander can be configured to sync on a given cadence.

To automate Commander to sync with your SFTP server every 24 hours, add the following fields to the configuration:

"commands": ["rsync"],

"timedelay": 86400

Complete configuration file example:

sync.conf
{
    "server": "keepersecurity.eu",
    "user": "services@company.com",
    "private_key": "yaeK4jMeIGNkSR2[...]AA",
    "device_token": "g6RDMxr[...]z-xQ",
    "commands": ["rsync"],
    "timedelay": 86400
}

Once configured, run Commander with the edited configuration file to start the automation. This can be done from the command line/terminal.

$> keeper shell --config "/sync.conf"

Note that there may be additional fields in your configuration file. See the documentation for more information.

Commander will continue to run while it waits for the next command run. If Commander is terminated, or the machine is turned off, Commander will need to be started again to continue.