# SSH Plugin
{% hint style="warning" %}
Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
* [Password Rotation with KeeperPAM](/keeperpam/secrets-manager/password-rotation.md)
* Commander [KeeperPAM commands](/keeperpam/commander-cli/command-reference/keeperpam-commands.md)
{% endhint %}
The SSH plugin for Keeper Commander gives you the ability to generate and rotate SSH keys to one or more target systems, or rotate any local or remote user's Unix/Linux password.
## Prerequisites
### SSH Key Rotation
#### Install OpenSSL and OpenSSH
This plugin requires **OpenSSL** and **OpenSSH** packages to be installed on the computer running Keeper Commander.
To verify Installation, open the Terminal application and make sure `'openssl'` and `'ssh'` commands are installed and accessible with the system **PATH** environment variable.
### SSH Password Rotation
Plugin name: `ssh`
## Prepare a Record for Rotation
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
The standard "SSH Key" record type is a good fit for SSH rotations.
{% hint style="info" %}
See the [Troubleshooting ](/keeperpam/commander-cli/troubleshooting-commander-cli.md#typed-vs-untyped-records-v3-vs-v2)section for more information on legacy vs typed records
{% endhint %}
### Set the Login Name
#### Populate the **'Login'** field of the Keeper record with the target system(s) login name
### Set the Hostname and Port
If using an untyped record, the host and port can be set to custom fields. See below.
{% hint style="info" %}
TIP: If no rotation plugin is specified, Commander will use the port number to guess which rotation to use. Port 22 will use SSH rotation
{% endhint %}
### Additional Rotation Settings
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
| Label | Value | Comment |
| ----------- | --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
| cmdr:plugin | sshkey \| ssh | (Optional) Tells Commander to use ssh key or ssh password rotation. This should be either set to the record, or supplied to the rotation command |
| cmdr:host | | (Optional) Host name or IP address of target server. Can be added as a custom field if not entered as a record field |
| cmdr:rules | # uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
| (Optional) Password generation rules |
{% hint style="info" %}
For SSH Key rotation, In order to automate the rotation of the public key on the target server, the public key must be manually updated `one time` in .ssh/authorized\_keys on the target host(s).
After it has been set this first time, subsequent rotations will be automated and updated by Commander.
{% endhint %}
## Rotate
### SSH Key Rotation
#### First Time Setup and Run
When setting up this plugin for the first time please use the following steps:
#### 1. Populate Keeper Record
Populate the Title, Login, and Hostname or IP and Port fields of the Keeper record.
#### 2. Execute rotate command and store public key
Execute the `rotate` command on the Keeper shell for this record. Commander will generate the public and private keys and store them in the record. Copy or save the public key and save this to the file `.ssh/authorized_keys` in the target hosts - this step must be done manually the first time or you can use the `ssh-copy-id` unix command.
**Make sure to set the permissions of the authorized\_keys file on the target system.** `chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys`
#### 3. Execute key rotation
Execute `rotate` command on Keeper shell to perform a full rotation. If successful, the target hosts will be updated with the newly generated public key and the Keeper record will be updated with the private/public key pair.
```
rotate "SSH Credentials" --plugin sshkey
```
{% hint style="info" %}
This plugin makes an assumption that the target system uses the default settings for SSH service, i.e. `authorized_keys` file is located in the `.ssh` directory of the user **HOME** directory.
{% endhint %}
{% hint style="info" %}
For more information on the `rotate` command see documentation [documentation](/keeperpam/commander-cli/command-reference/plugins/password-rotation.md)
{% endhint %}
### SSH Passwords Rotation
To rotate SSH passwords, use the `rotate` command in Commander. Pass the command a record title or UID (or use `--match` with a regular expression to rotate several records at once)
```
rotate "SSH Credentials" --plugin ssh
```
{% hint style="info" %}
The plugin can be supplied to the command as shown here, or added to a record field (see options above). If not supplied, Commander will use the port field to identify which plugin to use. In this case port 22 means the ssh plugin is used.\
Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/keeperpam/commander-cli/command-reference/plugins/ssh-plugin.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.