Connect Command
Connect to RDP and SSH servers from the Commander CLI
The connect command is deprecated from Commander versions 16.5.8 and later.
For a full remote connection management tool that supports privileged sessions, session recording and other advanced capabilities, we recommend using our new product Keeper Connection Manager ("KCM").
KCM is an agentless remote desktop gateway that provides secure and effortless access to RDP, SSH, database and Kubernetes endpoints through a web browser.
Learn more:
Connect Command
Using the connect command, Keeper Commander can launch SSH, RDP or other types of connections utilizing content and metadata stored in the Keeper Vault record. Command-line parameters and environmental variables can be supplied through custom fields and file attachments.
The connect command reads the record's custom fields with names starting with "connect:".
connect command:
Command: connect
Detail: Connect directly to a server Using SSH, RDP, or other protocol.
Parameters:
Endpoint name or full record path to endpoint
Switches:
--syntax-help see help for command and template parameters
-n, --new request per-user data
-s, --sort <{endpoint, title, folder}> choose field to sort by
-f, --filter <FILTER BY> filter output
Examples
SSH to a Server via Gateway
In this example, we are showing how to connect to a server through a SSH gateway. The following custom fields are set inside a Keeper record:
Custom Field Name | Custom Field Value |
connect:xxx:description | Production Server via Gateway |
connect:xxx | ssh -o "ProxyCommand ssh -i ${file:gateway.pem} ec2-user@gateway -W %h:%p" -i ${file:server.pem} ec2-user@server |
File Attachment | gateway.pem |
File Attachment | server.pem |
xxx refers to the friendly name which can be referenced when connecting on the command line.
To connect to a server, simply run the below command:
If the SSH private key is encrypted with a passphrase, you will be prompted every time to type in the passphrase. To avoid this, we recommend using the SSH Agent variation described in the next section.
SSH using SSH Agent
Commander can integrate with the local SSH agent to register RSA private keys. This eliminates the need for you to type in the SSH passphrase every time you connect to the remote system. Commander uses the SSH_AUTH_SOCK environment variable on Mac OS / Linux systems. The PowerShell OpenSSH implementation is supported on Windows systems.
To enable integration with ssh-agent ensure that SSH_AUTH_SOCK environment variable is set on Posix compatible systems. For Microsoft Windows, ensure the SSH Agent system service is running. Keeper's connect command uses SSH Agent to temporarily store the private key used in the connection session. After the session disconnects, the private key is removed.
To utilize SSH Agent for connecting to a remote system, simply add one additional custom field to the Vault record:
Custom Field Name | Custom Field Value |
connect:xxx:ssh-key:yyy | ${zzz} ${password} |
or SSH key is stored in the file attachment
Custom Field Name | Custom Field Value |
connect:xxx:ssh-key:yyy | ${body:zzz} ${password} |
or Reference to the record of SSH Key Type
| Custom Field Name | Custom Field Value |
|---|---|
connect:xxx:ssh-key:yyy | <RECORD UID> |
Here, xxx is the friendly name of the connection. yyy is an optional key name used with the SSH agent. zzz references either the custom field (see the first screenshot below) or file attachment (see the second screenshot).
In this example, the first parameter references the private key, the second parameter references the passphrase used to encrypt the private key.
${password} references the value stored in the record's Password field.
Connecting to the remote system using an encrypted passphrase is easy. In our example, to connect to the server called "example2":
ssh-agent command
The ssh-agent command can be used to manage the ssh agent within Commander.
Sub-commands:
start - start the ssh agent
stop - stop the ssh agent
info - see the status of the ssh agent
log - see the ssh agent logs
Remote Desktop (RDP) Launcher Example
To connect seamlessly to a remote windows server using the standard Microsoft Remote Desktop application, Keeper executes a command pre-login, login, and post-login via system calls. In this example, the "pre-login" command stores the password temporarily in the Windows credential manager for the current user. The "login" command initiates the connection using an RDP template file and the stored credentials (the RDP template file is optional). Upon session termination, the "post login" command is executed that deletes the password from the credential manager.
Vault Record Fields:
Custom Field Name | Custom Field Value |
connect:rdp_demo:description | Remote connection to Demo Server |
connect:rdp_demo:pre | cmdkey /generic:12.34.56.78 /user:${login} /pass:${password} > NUL |
connect:rdp_demo | mstsc ${file:Default.rdp} |
connect:rdp_demo:post | cmdkey /delete:12.34.56.78 > NUL |
File Attachment | Default.rdp |
Note: The Default.rdp file is saved from Remote Desktop Connection with your desired configuration.
Supported parameter substitutions
You can customize the commands with parameter substitutions described below:
Listing all available connections
To get a list of available connections, type:
Initiating connections
To initiate a connection (using the SSH/RDP examples) from Commander simply type:
or
Alternatively, you can execute the connection from the terminal without the interactive shell:
Notes:
A single vault record can contain any number of connection references, or the connections can be separated one per record.
If a system command requires user interaction (e.g. if a passphrase is included on an SSH key file), Commander will prompt for input.
Just like any other Keeper vault record, a connection record can be shared among a team, shared to another Keeper user or remain private.
Last updated