Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Deprecated or legacy Commander Commands
Old or unsupported commands are listed here...
Rotate passwords on any remote system using Keeper Commander plugins
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
Commander KeeperPAM commands
Keeper Commander has a feature which can communicate to internal and external systems for the purpose of rotating a password and synchronizing the change to your Keeper Vault. We accomplish this by associating a Keeper record with a physical system through the use of custom fields. For example, you might want to rotate your MySQL password, Active Directory password and local Administrator password automatically.
Typed records add simplicity to Commander rotation. Commander can scan fields and make intelligent decisions about the rotation type, and connection details. Record types such as the standard "SSH Key" or "Server" types make it easy to create records that are ready for rotation.
Each rotation plugin has slightly different requirements, select from the list of plugins on the left nested under this page to learn more.
Commander will identify the type of rotation to use automatically based on the values supplied to the record. For example a record with a PORT value of 22 will use the SSH rotation plugin by default. The rotation plugin can also be specified during rotation or with a custom record field.
Optionally, any records can use custom fields as configuration for rotation. See table below for an example of custom fields.
Not sure the difference between typed and untyped records? See the Troubleshooting section
Older, non-typed records require some additional setup in order to support Commander rotation.
To support a rotation plugin, simply add a set of custom field values to the Keeper record. The custom field values tell Commander which plugin to use, and what system to communicate with when rotating the password. To modify your Keeper record to include custom fields, login to Keeper on the Web Vault or Keeper Desktop app.
Example custom fields for MySQL password rotation:
Typed records also support custom record fields. If an older record is converted to be typed (and the fields are unchanged) it will work with Commander rotation.
When a plugin is specified in a record, Commander will search in the plugins/ folder to load the module based on the name provided (e.g. mysql.py) then it will use the values of the Keeper record to connect, rotate the password and save the resulting data.
Check out the plugins folder for all of the available plugins. Keeper's team adds new plugins on an ongoing basis. If you need a particular plugin created, send us an email to commander@keepersecurity.com.
https://github.com/Keeper-Security/Commander/tree/master/keepercommander/plugins
To activate a plugin for a particular Keeper record, you first need to update the custom fields for that record with special keywords that are used by Commander. See the specific plugin for the custom field requirements.
To perform a rotation use the rotate
command.
Keeper's team is expanding the number of plugins on an ongoing basis. If you need a particular plugin created or modified, email us at commander@keepersecurity.com.
Commands for performing password rotations on target systems.
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Command: rotate
or r
Detail: Rotate a record's password
To be eligible for rotation, a record must have the custom field 'cmdr:plugin'='noop'
Parameters:
Record name or UID to rotate
Switches:
--print display updated record content after rotation
--match <REGULAR EXPRESSION> select all records that match this expression to rotate
--password <NEW PASSWORD> sets a new password. Commander generates random password if switch omitted. Ignored when passwords are rotated with --match parameter.
Examples:
Rotate the password of the record titled "dev" in the "servers" folder
Rotate the password of the record with the given UID
Rotate the password of all records that end with "machine" (Using regex)
Rotate the password of the give record UID with the specific password provided
Command: set
Detail: Set an environment variable
Parameters:
environment name, value to set
format:
set <name> <value>
Examples:
Set the MySecret variable to XXX
Command: echo
Detail: Display environmental variables
Parameters:
argument to display (optional)
format:
echo ${<variable>}
If no argument is given, all environment variables are shown
Examples:
Display all currently set environment variables
Display the value for the MySecret variable
with Keeper Secrets Manager
For more information and examples see
Custom Field Name
Custom Field Value
cmdr:plugin
mysql
cmdr:host
192.168.1.55
cmdr:db
testing
Command | Explanation |
| Rotate the password in a record |
| Set environment variables that can be used for substitution within other commands or arguments |
| Display environmental variables |
Rotate AWS Passwords and Keys
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
You need to configure your AWS environment on the environment with an account that has administrative privileges in order to modify the Password for the specified user.
Rotation supports legacy and typed records. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
To run a rotation of AWS Keys, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options below). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
For an easier time creating new AWS rotation records, create a custom record type with the text type fields defined
After rotation is completed, the Access Key ID and Secret Key are stored in custom fields on the record with labels: cmdr:aws_key_id
and cmdr:aws_key_secret
.
Any Keeper user or Keeper Shared Folder associated with the record is updated instantly.
The 'Password' field is ignored when rotating keys
To run a rotation of AWS passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options below). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
The Password
field of the Keeper record contains a new password to AWS account.
Label | Value | Comment |
---|---|---|
Label | Value |
---|---|
Name | Value | Comment |
---|---|---|