Connect Command

Connect to RDP and SSH servers from the Commander CLI
The connect command is deprecated from Commander versions 16.5.8 and later.


Commander can be used for simple "connection" commands that initiate SSH or RDP connections from the CLI.
For a full remote connection management tool that supports privileged sessions, session recording and other advanced capabilities, we recommend using our new product Keeper Connection Manager ("KCM").
KCM is an agentless remote desktop gateway that provides secure and effortless access to RDP, SSH, database and Kubernetes endpoints through a web browser.
Learn more:

Connect Command

Using the connect command, Keeper Commander can launch SSH, RDP or other types of connections utilizing content and metadata stored in the Keeper Vault record. Command-line parameters and environmental variables can be supplied through custom fields and file attachments.
The connect command reads the record's custom fields with names starting with "connect:".

connect command:

Command: connect
Detail: Connect directly to a server Using SSH, RDP, or other protocol.
Endpoint name or full record path to endpoint
--syntax-help see help for command and template parameters
-n, --new request per-user data
-s, --sort <{endpoint, title, folder}> choose field to sort by
-f, --filter <FILTER BY> filter output


SSH to a Server via Gateway

In this example, we are showing how to connect to a server through a SSH gateway. The following custom fields are set inside a Keeper record:
Custom Field Name
Custom Field Value
Production Server via Gateway
ssh -o "ProxyCommand ssh -i ${file:gateway.pem} [email protected] -W %h:%p" -i ${file:server.pem} [email protected]
File Attachment
File Attachment
xxx refers to the friendly name which can be referenced when connecting on the command line.
Keeper Vault Record
To connect to this server, simply run the below command:
My Vault> connect my_server
Connecting to my_server...
Last login: Sat Sep 28 00:25:34 2019 from
[email protected]_server:~$ logout
Connection to my_server closed.
My Vault>
If the SSH private key is encrypted with a passphrase, you will be prompted every time to type in the passphrase. To avoid this, we recommend using the SSH Agent variation described in the next section.

SSH using SSH Agent

Commander can integrate with the local SSH agent to register RSA private keys. This eliminates the need for you to type in the SSH passphrase every time you connect to the remote system. Commander uses the SSH_AUTH_SOCK environment variable on Mac OS / Linux systems. The PowerShell OpenSSH implementation is supported on Windows systems.
To enable integration with ssh-agent ensure that SSH_AUTH_SOCK environment variable is set on Posix compatible systems. For Microsoft Windows, ensure the SSH Agent system service is running. Keeper's connect command uses SSH Agent to temporarily store the private key used in the connection session. After the session disconnects, the private key is removed.
To utilize SSH Agent for connecting to a remote system, simply add one additional custom field to the Vault record:
Custom Field Name
Custom Field Value
${zzz} ${password}
or SSH key is stored in the file attachment
Custom Field Name
Custom Field Value
${body:zzz} ${password}
or Reference to the record of SSH Key Type
Custom Field Name
Custom Field Value
Here, xxx is the friendly name of the connection. yyy is an optional key name used with the SSH agent. zzz references either the custom field (see the first screenshot below) or file attachment (see the second screenshot).
In this example, the first parameter references the private key, the second parameter references the passphrase used to encrypt the private key.
${password} references the value stored in the record's Password field.
Here's a screenshot of a Keeper Vault record where the private key is stored in a custom field:
Here's a screenshot of a Keeper Vault record where the private key is stored in a file attachment:
Connecting to the remote system using an encrypted passphrase is easy. In our example, to connect to the server called "example2":
My Vault> connect example2
Connecting to example2...
Last login: Sat Sep 28 00:25:34 2019 from
Connection to example2 closed.
My Vault>

ssh-agent command

The ssh-agent command is available from Commander version 16.6.7 or greater
The ssh-agent command can be used to manage the ssh agent within Commander.
  • start - start the ssh agent
  • stop - stop the ssh agent
  • info - see the status of the ssh agent
  • log - see the ssh agent logs

Postgres Connection

Commander can set environment variables for the connect application. This can be used to connect to remote systems that require an environment variable to be set.
As an example, you can connect to a Postgres database.
Custom Field Name
Custom Field Value
Here, xxx is the friendly name of the connection.
${password} references the value stored in the record's Password field
Example of Postgres Connection

SSH Key Rotation with Connection

Utilizing the sshkey rotation plugin, Commander can also rotate the SSH private/public key pair.
The same vault record can be created that provides connection capability as well as SSH key rotation.
Keeper vault record that is configured for both connection and key rotation
To rotate the password from the Commander interface, simply use the 'rotate' command:
My Vault> rotate example2
Rotating with plugin sshkey
Update record successful for record_uid=2TlvQqNe7YSF9idGQ
Rotation successful for record_uid=2TlvQqNe7YSF9idGQ
My Vault>
Note: The 'rotate' command accepts either Record UID or friendly name (specified with the cmdr:plugin:xxx custom field where xxx is the friendly name)
Below is a summary of the fields required to perform connection and rotation:
Set to the username, e.g. 'ec2-user' in the 'Login' field.
Set to the passphrase to encrypt the SSH key in the 'Password' field
sshkey "xxx" is the friendly name which can be referenced in command line 'rotate' and 'connect' calls.
(Optional, Multiple) Set to hostname or IP address of target server
${cmdr:private_key} ${password} where "xxx" is the friendly name
ssh ${login}@${cmdr:host} for a basic SSH connection but can be customized
Public key in SSH format. This key is uploaded to the target system.
Public key in RSA format.
Private key encrypted with the passkey stored in the 'Password' field.
Important: Please read the SSH Key Rotation Doc on how to perform the initial setup of SSH keys in the vault record. Once set up the first time, all connection and rotations will be seamless.

Remote Desktop (RDP) Launcher Example

To connect seamlessly to a remote windows server using the standard Microsoft Remote Desktop application, Keeper executes a command pre-login, login, and post-login via system calls. In this example, the "pre-login" command stores the password temporarily in the Windows credential manager for the current user. The "login" command initiates the connection using an RDP template file and the stored credentials (the RDP template file is optional). Upon session termination, the "post login" command is executed that deletes the password from the credential manager.
Vault Record Fields:
Custom Field Name
Custom Field Value
Remote connection to Demo Server
cmdkey /generic: /user:${login} /pass:${password} > NUL
mstsc ${file:Default.rdp}
cmdkey /delete: > NUL
File Attachment
Keeper Vault Record
Note: The Default.rdp file is saved from Remote Desktop Connection with your desired configuration.
Supported parameter substitutions
You can customize the commands with parameter substitutions described below:
${user_email}: Email address of Keeper user
${login}: Record login field
${password}: Record password field
${text:<name>}: Custom per-user variable, prompted for value, not shared
${mask:<name>}: Custom per-user variable, prompted for value, not shared
${file:<attachment_name>}: Stored in temp file during use and deleted after connection close,
${body:<attachment_name>}: Raw content of the attachment file.
Listing all available connections
To get a list of available connections, type:
My Vault> connect
Initiating connections
To initiate a connection (using the SSH/RDP examples) from Commander simply type:
My Vault> connect my_server
My Vault> connect rdp_demo
Alternatively, you can execute the connection from the terminal without the interactive shell:
$ keeper connect my_server
  • A single vault record can contain any number of connection references, or the connections can be separated one per record.
  • If a system command requires user interaction (e.g. if a passphrase is included on an SSH key file), Commander will prompt for input.
  • Just like any other Keeper vault record, a connection record can be shared among a team, shared to another Keeper user or remain private.
Last modified 5mo ago