Rotate SSH keys with Commander
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
The SSH plugin for Keeper Commander gives you the ability to generate and rotate SSH keys to one or more target systems, or rotate any local or remote user's Unix/Linux password.
This plugin requires OpenSSL and OpenSSH packages to be installed on the computer running Keeper Commander.
To verify Installation, open the Terminal application and make sure 'openssl'
and 'ssh'
commands are installed and accessible with the system PATH environment variable.
Plugin name: ssh
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
The standard "SSH Key" record type is a good fit for SSH rotations.
See the Troubleshooting section for more information on legacy vs typed records
If using an untyped record, the host and port can be set to custom fields. See below.
TIP: If no rotation plugin is specified, Commander will use the port number to guess which rotation to use. Port 22 will use SSH rotation
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
cmdr:plugin
sshkey | ssh
(Optional) Tells Commander to use ssh key or ssh password rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
(Optional) Host name or IP address of target server. Can be added as a custom field if not entered as a record field
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
(Optional) Password generation rules
For SSH Key rotation, In order to automate the rotation of the public key on the target server, the public key must be manually updated one time
in .ssh/authorized_keys on the target host(s).
After it has been set this first time, subsequent rotations will be automated and updated by Commander.
When setting up this plugin for the first time please use the following steps:
Populate the Title, Login, and Hostname or IP and Port fields of the Keeper record.
Execute the rotate
command on the Keeper shell for this record. Commander will generate the public and private keys and store them in the record. Copy or save the public key and save this to the file .ssh/authorized_keys
in the target hosts - this step must be done manually the first time or you can use the ssh-copy-id
unix command.
Make sure to set the permissions of the authorized_keys file on the target system. chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
Execute rotate
command on Keeper shell to perform a full rotation. If successful, the target hosts will be updated with the newly generated public key and the Keeper record will be updated with the private/public key pair.
This plugin makes an assumption that the target system uses the default settings for SSH service, i.e. authorized_keys
file is located in the .ssh
directory of the user HOME directory.
For more information on the rotate
command see documentation
To rotate SSH passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options above). If not supplied, Commander will use the port field to identify which plugin to use. In this case port 22 means the ssh plugin is used. Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.