All pages
Powered by GitBook
1 of 14

Password Rotation

Rotate passwords on any remote system using Keeper Commander plugins

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

Password Rotation

Keeper Commander has a feature which can communicate to internal and external systems for the purpose of rotating a password and synchronizing the change to your Keeper Vault. We accomplish this by associating a Keeper record with a physical system through the use of custom fields. For example, you might want to rotate your MySQL password, Active Directory password and local Administrator password automatically.

Typed Records

Typed records add simplicity to Commander rotation. Commander can scan fields and make intelligent decisions about the rotation type, and connection details. Record types such as the standard "SSH Key" or "Server" types make it easy to create records that are ready for rotation.

Each rotation plugin has slightly different requirements, select from the list of plugins on the left nested under this page to learn more.

Commander will identify the type of rotation to use automatically based on the values supplied to the record. For example a record with a PORT value of 22 will use the SSH rotation plugin by default. The rotation plugin can also be specified during rotation or with a custom record field.

Optionally, any records can use custom fields as configuration for rotation. See table below for an example of custom fields.

Not sure the difference between typed and untyped records? See the Troubleshooting section

Untyped Records

Older, non-typed records require some additional setup in order to support Commander rotation.

To support a rotation plugin, simply add a set of custom field values to the Keeper record. The custom field values tell Commander which plugin to use, and what system to communicate with when rotating the password. To modify your Keeper record to include custom fields, login to Keeper on the Web Vault or Keeper Desktop app.

Example custom fields for MySQL password rotation:

Custom Field Name

Custom Field Value

cmdr:plugin

mysql

cmdr:host

192.168.1.55

cmdr:db

testing

Typed records also support custom record fields. If an older record is converted to be typed (and the fields are unchanged) it will work with Commander rotation.

When a plugin is specified in a record, Commander will search in the plugins/ folder to load the module based on the name provided (e.g. mysql.py) then it will use the values of the Keeper record to connect, rotate the password and save the resulting data.

Check out the plugins folder for all of the available plugins. Keeper's team adds new plugins on an ongoing basis. If you need a particular plugin created, send us an email to commander@keepersecurity.com.

Supported Plugins

Active Directory

Amazon AWS Key

Amazon AWS Password

Azure AD Password

Microsoft SQL Server

MySQL

Oracle

PostgreSQL

PsPasswd

SSH Passphrase

SSH Key

Unix Password

Windows Password

Github Location

https://github.com/Keeper-Security/Commander/tree/master/keepercommander/plugins

Activating a Plugin

To activate a plugin for a particular Keeper record, you first need to update the custom fields for that record with special keywords that are used by Commander. See the specific plugin for the custom field requirements.

To perform a rotation use the rotate command.

Keeper's team is expanding the number of plugins on an ongoing basis. If you need a particular plugin created or modified, email us at commander@keepersecurity.com.

Password Rotation Commands

Commands for performing password rotations on target systems.

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

Rotation Commands

Keeper Command Reference

Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.

To get help on a particular command, run:

help <command>

Command

Explanation

rotate or r

Rotate the password in a record

set

Set environment variables that can be used for substitution within other commands or arguments

echo

Display environmental variables

rotate command:

Command: rotate or r

Detail: Rotate a record's password

To be eligible for rotation, a record must have the custom field 'cmdr:plugin'='noop'

Parameters:

Record name or UID to rotate

Switches:

--print display updated record content after rotation

--match <REGULAR EXPRESSION> select all records that match this expression to rotate

--password <NEW PASSWORD> sets a new password. Commander generates random password if switch omitted. Ignored when passwords are rotated with --match parameter.

Examples:

rotate servers/dev
rotate BhRRhjeL4armInSMqv2_zQ --print
rotate --match [0-z]*\machine
rotate BhRRhjeL4armInSMqv2_zQ --password "XXX"
  1. Rotate the password of the record titled "dev" in the "servers" folder

  2. Rotate the password of the record with the given UID

  3. Rotate the password of all records that end with "machine" (Using regex)

  4. Rotate the password of the give record UID with the specific password provided

For more information and examples see Connection to hosts documentation

set command:

Command: set

Detail: Set an environment variable

Parameters:

environment name, value to set

format:

set <name> <value>

Examples:

set MySecret XXX

Set the MySecret variable to XXX

echo command:

Command: echo

Detail: Display environmental variables

Parameters:

argument to display (optional)

format:

echo ${<variable>}

If no argument is given, all environment variables are shown

Examples:

echo
echo ${MySecret}
  1. Display all currently set environment variables

  2. Display the value for the MySecret variable

AWS Plugin

Rotate AWS Passwords and Keys

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

Prerequisites

1. Install AWS CLI package

pip3 install boto3

2. Configure AWS CLI package

Install AWS CLI if necessary

pip3 install awscli

Configure AWS Connection with the AWS CLI

aws configure

You need to configure your AWS environment on the environment with an account that has administrative privileges in order to modify the Password for the specified user.

Prepare Records for Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. Additional fields may be added depending on the rotation type as well. See the instructions below.

See the Troubleshooting section for more information on legacy vs typed records

Rotation Types

Rotate AWS Keys

To run a rotation of AWS Keys, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "My AWS Credentials" --plugin awskey

The plugin can be supplied to the command as shown here, or added to a record field (see options below). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Additional Rotation Options

The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

For an easier time creating new AWS rotation records, create a custom record type with the text type fields defined

Label
Value
Comment

cmdr:plugin

awskey

(Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command

cmdr:aws_profile

(Optional) AWS profile to use to login to AWS with

cmdr:aws_sync_profile

(Optional) if supplied, the AWS secret for the given profile will be updated to the AWS credentials file

cmdr:aws_assume_role

AWS Role ARN

(Optional) if supplied, the password rotation plugin assumes this role. The role requires these permissions:

iam:DeleteAccessKey iam:CreateAccessKey iam:ListAccessKeys

Output

After rotation is completed, the Access Key ID and Secret Key are stored in custom fields on the record with labels: cmdr:aws_key_id and cmdr:aws_key_secret.

Any Keeper user or Keeper Shared Folder associated with the record is updated instantly.

Label
Value

cmdr:aws_key_id

generated AWS Access Key ID

cmdr:aws_key_secret

generated AWS Secret Access Key

The 'Password' field is ignored when rotating keys

Rotate AWS Passwords

To run a rotation of AWS passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "My AWS Credentials" --plugin awspswd

The plugin can be supplied to the command as shown here, or added to a record field (see options below). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Additional Rotation Options

The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

Name
Value
Comment

cmdr:plugin

awspswd

(Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command

cmdr:rules

(Optional) password complexity rules

cmdr:aws_profile

(Optional) AWS profile to use to login to AWS with

Output

The Password field of the Keeper record contains a new password to AWS account.

Azure Plugin

Rotate Azure AD account passwords

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

This plugin generates/rotates Azure AD password for any user.

Prerequisites

Install Microsoft Authentication Library (MSAL) for Python

pip install msal

Configure Azure Application to have User Administrative Privileges

Configure Azure Application for Rotation

Follow these steps as one-time setup for Azure rotation

Steps to register new application

  1. Navigate to new app registration page:

    Azure portal -> Azure Active Directory -> App Registrations -> New Registration

  2. Give a name to the application and leave Supported account type as "Accounts in this organizational directory only (Default Directory only - Single tenant)"

  3. Click "Register"

Steps to add role to the application

  1. Navigate to Roles and Administrators page:

    Azure portal -> Azure Active Directory -> Roles and administrators

  2. Search for Helpdesk Administrator role and click on it

  3. Click on + Add assignments

  4. Search for the application that was created above, select it, and click on "Add"

Create App Secret

  1. Navigate to Certificates & Secrets:

    Azure portal -> Azure Active Directory -> App Registrations -> Select app that was created above -> Certificates & secrets

  2. Under "Client secrets" click on + New client secret

  3. Give description to a secret and click "Add"

  4. Make sure to copy "Value" of the secret

Prepare Records for Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

See the Troubleshooting section for more information on legacy vs typed records

Set the Azure Login Name

Populate the 'Login' field of the Keeper record with the Azure login name

Add Required Fields

The following fields are required for Azure AD rotation. Create each field with the label indicated and supply the required information.

Label
Description

cmdr:azure_secret

Displayed upon Registration of a new application (under Azure portal -> Azure Active Directory -> App Registrations -> New Registration.

cmdr:azure_client_id

Azure portal -> Azure Active Directory -> App Registrations -> [App name] -> Application (client) ID

cmdr:azure_tenant_id

Azure portal -> Azure Active Directory -> App Registrations -> [App name] -> Directory (tenant) ID

cmdr:azure_cloud

Optional. Azure Cloud. There are 4 physical Azure cloud locations 1. Global. Default location. Omit this property. 2. China 3. German 4. USGov

For an easier time creating new Azure rotation records, create a custom record type with theses text type fields defined

Additional Rotation Settings

The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

Label
Value
Description

cmdr:plugin

azureadpwd

(Optional) Tells Commander to use Azure AD Key rotation. This should be either set to the record, or supplied to the rotation command

cmdr:rules

(Optional) password complexity rules

Rotate

To rotate Azure passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "My Azure Credentials" --plugin azureadpwd

The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

Microsoft SQL Server Plugin

Rotate SQL Server passwords

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

This plugin allows rotating a user's password in Microsoft SQL Server

Prerequisites

Install pymssql

pip3 install pymssql

Prepare Records for Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

See the Troubleshooting section for more information on legacy vs typed records

Complete record example. Follow steps below to setup a record for rotation

Set the record Login as username of the account to rotate

Set the Hostname and Port

Commander will use these settings to connect.

TIP: If the port is set to 1433, or the host begins with "mssql://" Commander will automatically recognize the record as Microsoft SQL credentials and will use that rotation method unless otherwise configured

Set the record Password to the match account's password

Commander will use the password to login to perform the rotation

Set the Database Name in a custom field

Create a Text type custom field labeled "cmdr:db" and fill in the name of the database to connect to.

Optional Custom Fields

Instead of using the fields above, custom fields can be added with the shown label

Label
Value
Comment

cmdr:plugin

mssql

Tells Commander to use Microsoft SQL Key rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

Hostname of your MSSQL server

cmdr:rules

'# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

Password generation rules

Record Example using Optional Fields

A Keeper Record that is setup for MSSQL rotation

Rotate

To rotate MSSQL passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "MSSQL Example" --plugin mssql

The plugin can be supplied to the command as shown here added to a record field, or automatically assigned based on the port number (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

MySQL Plugin

Rotate and Connect to MySQL databases with Keeper Commander

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

Prerequisites

Install PyMySQL

pip3 install -Iv PyMySQL==0.10.1

The MySQL Commander Plugin requires the PyMySQL plugin version 0.10.1 and does not support more recent versions.

Prepare Records for Rotation

Create a record to store the MySQL username and password

Create a record using either the Keeper Vault UI, or Keeper Commander.

Creating a record in the Keeper Vault

Commander rotation supports all record types. A "Login" field is required on the record.

Set the Host and Port of the record

If using an untyped record, the host and port can be set to custom fields. See below.

Commander will use the mysql plugin automatically for records with the port number 3306, or with a hostname that starts with "mysql//"

Set the login and password values to the current database user values

Commander will use the login and password to login to the MySQL account
add type="databaseCredentials" title="MySQL Example" f.host.hostName="127.0.0.1" f.host.port="3306" f.login
="DBAdmin Smith" f.password="XXX"

replace 'XXX' with the current database password for this user

Optional Custom Fields

Label
Value
Comment

cmdr:plugin

mysql

Tells Commander to use MySQL rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

Hostname of your MySQL server. This can be set here if not set in the record's host field

cmdr:rules

# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

Password generation rules

cmdr:port

MySQL port. 3306 assumed if omitted This can be set here if not set in the record's host field

cmdr:user_host

User host. '%' assumed if omitted

Adding Custom Fields in the Vault UI

For Commander versions greater than 4.88

 edit -r "MySQL Example" --custom '{"cmdr:plugin":"mysql", "cmdr:host":"SQL"}'

For Commander versions 4.88 and before

edit "MySQL Example" --custom '{"cmdr:plugin":"mysql", "cmdr:host":"SQL"}'

for more information about the edit command, see the command documentation

Rotate Passwords

Get Record UID

Find the UID in the record information popup

Click the Record UID to copy it to the clipboard
My Vault> search "MySQL Example"

  #  Record UID              Type    Title    Login    URL
---  ----------------------  ------  -------  -------  -----
  1  am4TuwGrDpn8NhrGPBAWKw  login   rtt      rotate


                 UID: am4TuwGrDpn8NhrGPBAWKw
               Title: rtt
               Login: rotate
                text: ['mysql']
                text: ['127.0.0.1']

Use the search command to find the UID for your record. Replace "MySQL Example" with the name of your record.

Perform Rotation

To rotate MySQL passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "MySQL Example" --plugin mssql

The plugin can be supplied to the command as shown here added to a record field, or automatically assigned based on the port number or based on the host starting with "mysql://" (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

Integration with the Keeper Commander's connect command

Custom Field Name

Custom Field Value

connect:xxx:env:MYSQL_PWD

${password}

connect:xxx

mysql -u${login} -h${cmdr:host}

xxx refers to the 'friendly name' which can be referenced when connecting on the command line

Here's a screenshot of the Keeper Vault record for this use case:

A Keeper Record setup for use with Commander's 'connect' command

For more information on the connect command, see the documentation

Oracle Plugin

Rotate Oracle database passwords with Commander

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

This plugin allows rotating a user's password in Oracle Database Server

Prerequisites

Oracle requires Instant Client setup to enable client applications.

Consult the following page: http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html

Install cx_Oracle

pip3 install oracledb

Prepare Record for Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

See the Troubleshooting section for more information on legacy vs typed records

Add the following Custom Fields to the record that you want to rotate within Keeper

To connect with DSN string:

Label
Value
Comment

cmdr:dsn

ex: "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=XE)))"

Oracle DSN string

To connect using database host and service name

If cmdr:dsn is used then cmdr:host and cmdr:db properties will be ignored.

Label
Value
Comment

cmdr:host

Hostname of your Oracle server

cmdr:db

Database service to connect to on Oracle server

The following optional plugin field can be added to enforce use of the Oracle rotation plugin

Label
Value
Comment

cmdr:plugin

oracle

(Optional) Tells Commander to use Oracle rotation. This should be either set to the record, or supplied to the rotation command

Commander will use the oracle plugin automatically for records with a hostname that starts with "oracle//"

The plugin will use the Login field as the username of the password command when rotating a password.

Record Example:

A Keeper Record setup for Oracle password rotation

Rotate

To rotate Oracle passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "Oracle Example" --plugin oracle

The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

PostgreSQL Plugin

Rotate PostgreSQL database passwords with Commander

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

This plugin allows rotating a user's password in PostgreSQL Server

Prerequisites

Install psycopg2-binary

pip3 install psycopg2-binary

Prepare Record For Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

See the Troubleshooting section for more information on legacy vs typed records

Set the PostgreSQL Login Name and Password

Populate the 'Login' field of the Keeper record with the PostgreSQL login name

Commander will use the login and password to login to the PostgreSQL account

Set the Hostname and Port

If using an untyped record, the host and port can be set to custom fields. See below.

TIP: If no rotation plugin is specified, Commander will use the port number or host prefix to guess which rotation to use. Port 5432, or a hostname that begins with "postgresql://" will use PostgreSQL rotation

Enter the Database Name

Add a custom field to the record labeled "cmdr:db" and fill the field with the name of the database to use.

Optional Record Fields

These fields can be added to affect the rotation

Label
Value
Comment

cmdr:plugin

postgresql

(Optional) Tells Commander to use PostgreSQL rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

Hostname of your PostgreSQL server. Legacy records require this custom field, typed records can use the hostname and port fields.

cmdr:rules

# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

(Optional) Password generation rules

cmdr:port

(Optional) PostgreSQL port. 5432 assumed if omitted

Integration with the Keeper Commander's connect command

Custom Field Name

Custom Field Value

connect:xxx:env:PGPASSWORD

${password}

connect:xxx

psql --host=${cmdr:host} --port=${cmdr:port} --username=${login} --dbname=${cmdr:db} --no-password

Here's a screenshot of the Keeper Vault record for this use case:

A Keeper Record setup for connection

For more information on the connect command, see the documentation

PSPasswd Plugin

Rotate remote admin passwords with PSPasswd

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

This plugin provides IT Admins with the ability to rotate the password of a remote system's administrative local password. The password is rotated using the widely used "pspasswd" utility and the change is synchronized to a specific Keeper record in your vault.

The way this plugin is implemented requires that Commander and pspasswd is installed on the Domain Controller.

The instructions in this README assume that you are executing Commander scripts from the Domain Controller.

Prerequisites

Enabled Remote Service Management on each target computer

Assuming all computers are domain-attached and reachable from the Domain Controller, ensure that "Remote Service Management" is allowed for inbound in Domain by enabling the relevant Firewall rule on all computers.

On each of the target computers, go to Windows Firewall rules -> Inbound Rules -> and enabled the "Remote Service Management" rule.

Install pspasswd

  • Download the PSTools Package from Microsoft

  • Extract the PSTools.zip folder to a location on your computer

  • Add this PSTools folder to your user or system environmental variable "PATH"

    (System Properties -> Advanced -> Environmental Variables)

    Select PATH and then "Edit"

    On some systems, you have to append the location where you installed PSTools, e.g.:

    ;C:\Users\craig\PSTools

    On newer systems, just click "New" then type in the full path to the install, e.g.: C:\Users\craig\PSTools

Prepare Record for Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

See the Troubleshooting section for more information on legacy vs typed records

Set the Login Name

Populate the 'Login' field of the Keeper record with the login to use with this rotation.

Set the Host and Port of the record

If using an untyped record, the host and port can be set to custom fields. See below.

Additional Rotation Settings

The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

Label
Value
Comment

cmdr:plugin

pspasswd

(Optional) Tells Commander to use PSPasswd rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

Hostname of Computer or Computers where the local account exists. This can be set here if not set in the record's host field

cmdr:rules

# uppercase, # lowercase, # numeric, # special

(e.g. 4,6,3,8)

(Optional) Password generation rules

Rotate

To rotate PSPasswd passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "My Azure Credentials" --plugin pspasswd

The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

SSH Plugin

Rotate SSH keys with Commander

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

The SSH plugin for Keeper Commander gives you the ability to generate and rotate SSH keys to one or more target systems, or rotate any local or remote user's Unix/Linux password.

Prerequisites

SSH Key Rotation

Install OpenSSL and OpenSSH

This plugin requires OpenSSL and OpenSSH packages to be installed on the computer running Keeper Commander.

To verify Installation, open the Terminal application and make sure 'openssl' and 'ssh' commands are installed and accessible with the system PATH environment variable.

SSH Password Rotation

Plugin name: ssh

Prepare a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

The standard "SSH Key" record type is a good fit for SSH rotations.

See the Troubleshooting section for more information on legacy vs typed records

Set the Login Name

Populate the 'Login' field of the Keeper record with the target system(s) login name

Set the Hostname and Port

If using an untyped record, the host and port can be set to custom fields. See below.

TIP: If no rotation plugin is specified, Commander will use the port number to guess which rotation to use. Port 22 will use SSH rotation

Additional Rotation Settings

The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

Label
Value
Comment

cmdr:plugin

sshkey | ssh

(Optional) Tells Commander to use ssh key or ssh password rotation. This should be either set to the record, or supplied to the rotation command

cmdr:host

(Optional) Host name or IP address of target server. Can be added as a custom field if not entered as a record field

cmdr:rules

# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

(Optional) Password generation rules

For SSH Key rotation, In order to automate the rotation of the public key on the target server, the public key must be manually updated one time in .ssh/authorized_keys on the target host(s).

After it has been set this first time, subsequent rotations will be automated and updated by Commander.

Rotate

SSH Key Rotation

First Time Setup and Run

When setting up this plugin for the first time please use the following steps:

1. Populate Keeper Record

Populate the Title, Login, and Hostname or IP and Port fields of the Keeper record.

2. Execute rotate command and store public key

Execute the rotate command on the Keeper shell for this record. Commander will generate the public and private keys and store them in the record. Copy or save the public key and save this to the file .ssh/authorized_keys in the target hosts - this step must be done manually the first time or you can use the ssh-copy-id unix command.

Make sure to set the permissions of the authorized_keys file on the target system. chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys

3. Execute key rotation

Execute rotate command on Keeper shell to perform a full rotation. If successful, the target hosts will be updated with the newly generated public key and the Keeper record will be updated with the private/public key pair.

rotate "SSH Credentials" --plugin sshkey

This plugin makes an assumption that the target system uses the default settings for SSH service, i.e. authorized_keys file is located in the .ssh directory of the user HOME directory.

For more information on the rotate command see documentation

SSH Passwords Rotation

To rotate SSH passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "SSH Credentials" --plugin ssh

The plugin can be supplied to the command as shown here, or added to a record field (see options above). If not supplied, Commander will use the port field to identify which plugin to use. In this case port 22 means the ssh plugin is used. Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Unix Passwd Plugin

Rotate Unix passwords with Commander

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

This plugin allows rotating a local user's password using the Unix passwd command.

Prerequisites

Install pexpect

pip3 install pexpect

Prepare a Record for Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

See the Troubleshooting section for more information on legacy vs typed records

Set the Login Name

Populate the 'Login' field of the Keeper record with the login to use with this rotation.

Additional Rotation Settings

The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

Name

Value

Comment

cmdr:plugin

unixpasswd

(Optional) Tells Commander to use Unix password rotation. This should be either set to the record, or supplied to the rotation command

cmdr:rules

# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

(Optional) Password generation rules

Keeper Record setup for Unix passwd rotation

Rotate

To rotate Unix passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "My Azure Credentials" --plugin unix

The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

Windows Plugin

Rotate Windows user passwords with Commander

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

This plugin allows rotating a windows user's password using the net user command.

Prepare a Record for Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

See the Troubleshooting section for more information on legacy vs typed records

Set the Login Name

Populate the 'Login' field of the Keeper record with the login to use with this rotation.

This plugin rotates passwords for both local and Active Directory accounts. When rotating Active Directory password use DOMAIN\USERNAME syntax for Login field.

Add the following Custom Fields to the record that you want to rotate within Keeper

Label
Value
Comment

cmdr:plugin

windows

(Optional) Tells Commander to use Windows rotation. This should be either set to the record, or supplied to the rotation command

cmdr:rules

# uppercase, # lowercase, # numeric, # special'

(e.g. 4,6,3,8)

(Optional) Password generation rules

A Keeper Record setup for Windows password rotation

Rotate

To rotate Windows passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "Windows Example" --plugin windows

The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Output

After rotation is completed, the new password will be stored in the Password field of the record

Active Directory Plugin

Active Directory plugin for Keeper Commander rotation

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

This plugin provides IT Admins with the ability to rotate the password of an Active Directory user account. This plugin can be run on any system that has network access to the AD server.

Prerequisites

Install the ldap3 module

pip3 install ldap3

Prepare Record for Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. If using typed record, a 'Password' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.

See the Troubleshooting section for more information on legacy vs typed records

Set the Password Field

In the Keeper record, put the user's current password in the "Password" field

Set the Hostname and Port

If using an untyped record, the host and port can be set to custom fields. See below.

TIP: If no rotation plugin is specified, Commander will use the port number to guess which rotation to use. Port 389 will use AD rotation

Add the following required fields

The following fields are required for AD rotation. Create each field with the label indicated and supply the required information.

Label
Value
Comment

cmdr:use_ssl

True or False

Whether or not to use SSL connection to AD Server

cmdr:userdn

Distinguished name of the AD user you want to rotate the password on.

Additional Rotation Settings

The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

Label
Value
Comment

cmdr:plugin

adpasswd

cmdr:host

Host name or IP address of your AD Server

cmdr:port

Optional: Port number of your AD Server. Default value: 389

cmdr:rules

Optional password complexity rules

Rotate Record

To rotate Active Directory passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "AD Password Rotator" --plugin adpasswd

The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Notes and Troubleshooting:

The Keeper "Login" field is not used for this plugin. The user is identified with the cmdr:userdn custom field.

If you get the error "Error during connection to AD server" try the following:

  • Ensure your AD supports secure bind via TLS. The certificate can be self-signed if needed.

  • Disable 'Minimum password age’ group policy. It is set to one day by default.

  • Verify connectivity to the host server, make sure it is accessible. Download a tool such as the Softerra LDAP Browser to test if you're able to connect to Active Directory.

  • Check that your Distinguished Name cmdr:userdn is set correctly. It needs to be exactly right or else the connection will fail. You can check the value of this from within the Softerra LDAP browser software or you can run the below command prompt utility on the AD Server:

C:\Users\craig>dsquery user -name Craig*
"CN=Craig Lurey,CN=Users,DC=keeper,DC=test,DC=keepersecurity,DC=com"

For connecting as Craig in this scenario, make sure the cmdr:userdn custom field contains this exact string (without the quotes).

Connecting to Active Directory

Microsoft Active Directory requires SSL connection in order to change the password. The following link explains how to setup a secure connection to Active Directory

https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/

Automatic Execution

Automatic password rotation with Commander

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

  • Password Rotation with KeeperPAM

  • Commander KeeperPAM commands

You can automate password resets using Commander plugins, with a custom Commander configuration file

Example:

{                                                                               
    "user":"admin@company.com",
    "password":"somereallystrongpassword",
    "commands":["d", "r iaOXP1fnApRh5DbaRd7MWA"]
}

In this example, we are telling Commander to first download and decrypt records, then rotate the password (record UID iaOXP1fnApRh5DbaRd7MWA) using the plugin programmed into the record. To locate the Record UID, simply view it on the commander interactive shell or view it on the Keeper Web Vault and Desktop App (as seen below).

Locate Record UID

For more information on running Commander commands with a configuration file, see the documentation