Connect Command

Connect to RDP and SSH servers from the Commander CLI

The connect command is deprecated from Commander versions 16.5.8 and later.

For a full remote connection management tool that supports privileged sessions, session recording and other advanced capabilities, we recommend using our new product Keeper Connection Manager ("KCM").

KCM is an agentless remote desktop gateway that provides secure and effortless access to RDP, SSH, database and Kubernetes endpoints through a web browser.

Learn more:

Product Homepage


Connect Command

Using the connect command, Keeper Commander can launch SSH, RDP or other types of connections utilizing content and metadata stored in the Keeper Vault record. Command-line parameters and environmental variables can be supplied through custom fields and file attachments.

The connect command reads the record's custom fields with names starting with "connect:".

connect command:

Command: connect

Detail: Connect directly to a server Using SSH, RDP, or other protocol.


Endpoint name or full record path to endpoint


--syntax-help see help for command and template parameters

-n, --new request per-user data

-s, --sort <{endpoint, title, folder}> choose field to sort by

-f, --filter <FILTER BY> filter output


SSH to a Server via Gateway

In this example, we are showing how to connect to a server through a SSH gateway. The following custom fields are set inside a Keeper record:

Custom Field Name

Custom Field Value


Production Server via Gateway


ssh -o "ProxyCommand ssh -i ${file:gateway.pem} ec2-user@gateway -W %h:%p" -i ${file:server.pem} ec2-user@server

File Attachment


File Attachment


xxx refers to the friendly name which can be referenced when connecting on the command line.

To connect to a server, simply run the below command:

My Vault> connect my_server
Connecting to my_server...

Last login: Sat Sep 28 00:25:34 2019 from
ec2-user@my_server:~$ logout
Connection to my_server closed.
My Vault>                   

If the SSH private key is encrypted with a passphrase, you will be prompted every time to type in the passphrase. To avoid this, we recommend using the SSH Agent variation described in the next section.

SSH using SSH Agent

Commander can integrate with the local SSH agent to register RSA private keys. This eliminates the need for you to type in the SSH passphrase every time you connect to the remote system. Commander uses the SSH_AUTH_SOCK environment variable on Mac OS / Linux systems. The PowerShell OpenSSH implementation is supported on Windows systems.

To enable integration with ssh-agent ensure that SSH_AUTH_SOCK environment variable is set on Posix compatible systems. For Microsoft Windows, ensure the SSH Agent system service is running. Keeper's connect command uses SSH Agent to temporarily store the private key used in the connection session. After the session disconnects, the private key is removed.

To utilize SSH Agent for connecting to a remote system, simply add one additional custom field to the Vault record:

Custom Field Name

Custom Field Value


${zzz} ${password}

or SSH key is stored in the file attachment

Custom Field Name

Custom Field Value


${body:zzz} ${password}

or Reference to the record of SSH Key Type

Custom Field NameCustom Field Value



Here, xxx is the friendly name of the connection. yyy is an optional key name used with the SSH agent. zzz references either the custom field (see the first screenshot below) or file attachment (see the second screenshot).

In this example, the first parameter references the private key, the second parameter references the passphrase used to encrypt the private key.

${password} references the value stored in the record's Password field.

Connecting to the remote system using an encrypted passphrase is easy. In our example, to connect to the server called "example2":

My Vault> connect example2
Connecting to example2...

Last login: Sat Sep 28 00:25:34 2019 from
craig@example2:~$ logout
Connection to example2 closed.
My Vault>                                     

ssh-agent command

The ssh-agent command can be used to manage the ssh agent within Commander.


  • start - start the ssh agent

  • stop - stop the ssh agent

  • info - see the status of the ssh agent

  • log - see the ssh agent logs

Remote Desktop (RDP) Launcher Example

To connect seamlessly to a remote windows server using the standard Microsoft Remote Desktop application, Keeper executes a command pre-login, login, and post-login via system calls. In this example, the "pre-login" command stores the password temporarily in the Windows credential manager for the current user. The "login" command initiates the connection using an RDP template file and the stored credentials (the RDP template file is optional). Upon session termination, the "post login" command is executed that deletes the password from the credential manager.

Vault Record Fields:

Custom Field Name

Custom Field Value


Remote connection to Demo Server


cmdkey /generic: /user:${login} /pass:${password} > NUL


mstsc ${file:Default.rdp}


cmdkey /delete: > NUL

File Attachment


Note: The Default.rdp file is saved from Remote Desktop Connection with your desired configuration.

Supported parameter substitutions

You can customize the commands with parameter substitutions described below:

${user_email}: Email address of Keeper user 
${login}: Record login field
${password}: Record password field
${text:<name>}: Custom per-user variable, prompted for value, not shared 
${mask:<name>}: Custom per-user variable, prompted for value, not shared 
${file:<attachment_name>}: Stored in temp file during use and deleted after connection close,
${body:<attachment_name>}: Raw content of the attachment file.

Listing all available connections

To get a list of available connections, type:

My Vault> connect

Initiating connections

To initiate a connection (using the SSH/RDP examples) from Commander simply type:

My Vault> connect my_server


My Vault> connect rdp_demo

Alternatively, you can execute the connection from the terminal without the interactive shell:

$ keeper connect my_server


  • A single vault record can contain any number of connection references, or the connections can be separated one per record.

  • If a system command requires user interaction (e.g. if a passphrase is included on an SSH key file), Commander will prompt for input.

  • Just like any other Keeper vault record, a connection record can be shared among a team, shared to another Keeper user or remain private.

Last updated