Commander can use credentials from your vault to facilitate connections directly from the CLI.
See the nested pages for more information on Commander's connection capability.
SSHSSH AgentRDPConnect CommandSFTP SyncUsing Keeper Commander with SSH connections
For a full remote connection management tool that supports privileged sessions, session recording and other advanced capabilities, we recommend using our new product Keeper Connection Manager ("KCM").
KCM is an agentless remote desktop gateway that provides secure and effortless access to RDP, SSH, database and Kubernetes endpoints through a web browser.
Learn more:
Keeper Commander can launch SSH connections utilizing content and metadata stored in a Keeper Vault record. The ssh
command is used to make SSH connections. To use this command, pass it a record that holds the SSH connection details.
Command: ssh
Detail: Establishes connection to external server using SSH.
Parameters:
record UID or path to a record
The SSH command is compatible with "SSH Key" and "Server" type records.
optionally a SSH endpoint in the following format:
LOGIN@HOST
[:PORT]
If no record is provided to the ssh
command, all the compatible records in your vault will be listed
Make a connection
See compatible records
Commander can run an SSH Agent service for establishing remote connections.
The ssh-agent
command is used to load up all of the SSH keys in the vault and start an SSH Agent service. SSH connections can be seamlessly established directly using the Keeper Commander SSH Agent without having to store keys on the local filesystem. SSH connections can then be established using any standard terminal.
The SSH agent service scans all records in the Keeper Vault based on different criteria such as:
A record type "SSH Key" or "Server" with a private key and optional password/passphrase
Any record with a single SSH key file attachment
Command: ssh-agent
Detail: Starts a local SSH Agent process on the local computer using keys from the vault.
Options:
start
: Starts the SSH Agent service and loads up all keys
stop
: Stops the SSH Agent service
info
: Displays SSH Agent status
log
: Displays connection log history
Starting the SSH Agent Service from the Commander CLI
Directly starting the SSH Agent without the shell:
To use the SSH Agent from your favorite terminal or connection tool, the environmental variable SSH_AUTH_SOCK must be set in the terminal or in your startup file. For example.... export SSH_AUTH_SOCK=~/.keeper/me@demo.com.ssh_agent Then, simply SSH from your terminal: $ ssh <host>
Stopping the SSH Agent service
Using Keeper Commander with RDP connections
For a full remote connection management tool that supports privileged sessions, session recording and other advanced capabilities, we recommend using our new product Keeper Connection Manager ("KCM").
KCM is an agentless remote desktop gateway that provides secure and effortless access to RDP, SSH, database and Kubernetes endpoints through a web browser.
Learn more:
Keeper Commander can launch RDP connections utilizing content and metadata stored in a Keeper Vault record. The rdp
command is used to make connections. To use this command, pass it a record that holds the RDP connection details.
Command: rdp
Detail: Establishes RDP connection to remote Windows servers. This command is only available on Windows machines running Commander.
Parameters:
record UID or path to a record
The RDP command is compatible with "Server" type records on Windows machines.
If no record is provided to the rdp
command, all the compatible records in your vault will be listed
Make a connection
See compatible records
Connect to RDP and SSH servers from the Commander CLI
The connect command is deprecated from Commander versions 16.5.8 and later.
For a full remote connection management tool that supports privileged sessions, session recording and other advanced capabilities, we recommend using our new product Keeper Connection Manager ("KCM").
KCM is an agentless remote desktop gateway that provides secure and effortless access to RDP, SSH, database and Kubernetes endpoints through a web browser.
Learn more:
Using the connect
command, Keeper Commander can launch SSH, RDP or other types of connections utilizing content and metadata stored in the Keeper Vault record. Command-line parameters and environmental variables can be supplied through custom fields and file attachments.
The connect
command reads the record's custom fields with names starting with "connect:
".
Command: connect
Detail: Connect directly to a server Using SSH, RDP, or other protocol.
Parameters:
Endpoint name or full record path to endpoint
Switches:
--syntax-help see help for command and template parameters
-n, --new request per-user data
-s, --sort <{endpoint, title, folder}> choose field to sort by
-f, --filter <FILTER BY> filter output
In this example, we are showing how to connect to a server through a SSH gateway. The following custom fields are set inside a Keeper record:
Custom Field Name
Custom Field Value
connect:xxx:description
Production Server via Gateway
connect:xxx
ssh -o "ProxyCommand ssh -i ${file:gateway.pem} ec2-user@gateway -W %h:%p" -i ${file:server.pem} ec2-user@server
File Attachment
gateway.pem
File Attachment
server.pem
xxx
refers to the friendly name which can be referenced when connecting on the command line.
To connect to a server, simply run the below command:
If the SSH private key is encrypted with a passphrase, you will be prompted every time to type in the passphrase. To avoid this, we recommend using the SSH Agent variation described in the next section.
Commander can integrate with the local SSH agent to register RSA private keys. This eliminates the need for you to type in the SSH passphrase every time you connect to the remote system. Commander uses the SSH_AUTH_SOCK
environment variable on Mac OS / Linux systems. The PowerShell OpenSSH implementation is supported on Windows systems.
To enable integration with ssh-agent ensure that SSH_AUTH_SOCK
environment variable is set on Posix compatible systems. For Microsoft Windows, ensure the SSH Agent
system service is running. Keeper's connect
command uses SSH Agent to temporarily store the private key used in the connection session. After the session disconnects, the private key is removed.
To utilize SSH Agent for connecting to a remote system, simply add one additional custom field to the Vault record:
Custom Field Name
Custom Field Value
connect:xxx:ssh-key:yyy
${zzz} ${password}
or SSH key is stored in the file attachment
Custom Field Name
Custom Field Value
connect:xxx:ssh-key:yyy
${body:zzz} ${password}
or Reference to the record of SSH Key Type
connect:xxx:ssh-key:yyy
<RECORD UID>
Here, xxx
is the friendly name of the connection. yyy
is an optional key name used with the SSH agent. zzz
references either the custom field (see the first screenshot below) or file attachment (see the second screenshot).
In this example, the first parameter references the private key, the second parameter references the passphrase used to encrypt the private key.
${password}
references the value stored in the record's Password field.
Connecting to the remote system using an encrypted passphrase is easy. In our example, to connect to the server called "example2":
The ssh-agent command can be used to manage the ssh agent within Commander.
Sub-commands:
start - start the ssh agent
stop - stop the ssh agent
info - see the status of the ssh agent
log - see the ssh agent logs
To connect seamlessly to a remote windows server using the standard Microsoft Remote Desktop application, Keeper executes a command pre-login, login, and post-login via system calls. In this example, the "pre-login" command stores the password temporarily in the Windows credential manager for the current user. The "login" command initiates the connection using an RDP template file and the stored credentials (the RDP template file is optional). Upon session termination, the "post login" command is executed that deletes the password from the credential manager.
Vault Record Fields:
Custom Field Name
Custom Field Value
connect:rdp_demo:description
Remote connection to Demo Server
connect:rdp_demo:pre
cmdkey /generic:12.34.56.78 /user:${login} /pass:${password} > NUL
connect:rdp_demo
mstsc ${file:Default.rdp}
connect:rdp_demo:post
cmdkey /delete:12.34.56.78 > NUL
File Attachment
Default.rdp
Note: The Default.rdp file is saved from Remote Desktop Connection with your desired configuration.
Supported parameter substitutions
You can customize the commands with parameter substitutions described below:
Listing all available connections
To get a list of available connections, type:
Initiating connections
To initiate a connection (using the SSH/RDP examples) from Commander simply type:
or
Alternatively, you can execute the connection from the terminal without the interactive shell:
Notes:
A single vault record can contain any number of connection references, or the connections can be separated one per record.
If a system command requires user interaction (e.g. if a passphrase is included on an SSH key file), Commander will prompt for input.
Just like any other Keeper vault record, a connection record can be shared among a team, shared to another Keeper user or remain private.
Sync files from a SFTP server with credentials in the Keeper Vault
Use credentials stored in the Keeper Vault to facilitate a connection to your FTP server, then Commander can automatically download files from the server to a specified location on your machine.
Secure your SFTP credentials, or automate file download or backup with Commander.
To use the Commander SFTP sync, utilize the rsync
command
The first time you run the SFTP sync, you need to provide the plugin type, path to remote files, and credentials record to use.
--plugin
the plugin type to use (use SFTP)
--remote-path
path to files you want to download in the SFTP directory
--record
UID or path to record that holds the SFTP credentials
Example:
Once you have specified these options once, Commander will retain the settings by saving them to the record you provided. Subsequent SFTP syncs can be run by only providing the location to download files to.
Commander can be automated in a number of ways. See the Batch Mode documentation for more information. This section will cover an example of automating the SFTP sync.
Commander can be configured to run commands on a given cadence by editing the Commander configuration file.
After you have run the first time setup for the SFTP sync, Commander can be configured to sync on a given cadence.
To automate Commander to sync with your SFTP server every 24 hours, add the following fields to the configuration:
"commands": ["rsync"],
"timedelay": 86400
Complete configuration file example:
Once configured, run Commander with the edited configuration file to start the automation. This can be done from the command line/terminal.
$> keeper shell --config "/sync.conf"
Note that there may be additional fields in your configuration file. See the documentation for more information.
Commander will continue to run while it waits for the next command run. If Commander is terminated, or the machine is turned off, Commander will need to be started again to continue.