Server Connections
Connect to RDP and SSH servers from the Commander CLI
This feature is under active development and will be changing drastically in the coming months.

Launching and Connecting to Remote Servers

Using the connect command, Keeper Commander can launch SSH, RDP or other external connections utilizing content and metadata stored in the Keeper vault record. Command-line parameters are supplied through custom fields and file attachments. This command is very flexible and can be totally customized to use any 3rd party application or utility for performing the remote connections.
The connect command reads the record's custom fields with names starting with "connect:".
For more information on the connect command see the command documentation.
Below is a simple example of SSH to a remote server via SSH tunnel gateway.

Examples

SSH Launcher Example: SSH to a server via Gateway

In this example, we are showing how to connect to a server through a SSH gateway. The following fields are set:
Custom Field Name
Custom Field Value
connect:xxx:description
Production Server via Gateway
connect:xxx
ssh -o "ProxyCommand ssh -i ${file:gateway.pem} [email protected] -W %h:%p" -i ${file:server.pem} [email protected]
File Attachment
gateway.pem
File Attachment
server.pem
xxx refers to the friendly name which can be referenced when connecting on the command line. In this example we have "my_server".
Keeper Vault Record
To connect to this server, simply run the below command:
1
My Vault> connect my_server
2
Connecting to my_server...
3
4
Last login: Sat Sep 28 00:25:34 2019 from 12.23.34.5
5
6
[email protected]_server:~$ logout
7
Connection to my_server closed.
8
My Vault>
Copied!
If the SSH private key is encrypted with a passphrase, you will be prompted every time to type in the passphrase. To avoid this, we recommend using the SSH Agent variation described in the next section.
SSH connection using SSH Agent capabilities
Commander can integrate with the local SSH agent to register RSA private keys. This eliminates the need for you to type in the SSH passphrase every time you connect to the remote system. Commander uses the SSH_AUTH_SOCK environment variable on Mac OS / Linux systems. The PowerShell OpenSSH implementation is supported on Windows systems.
To enable integration with ssh-agent ensure that SSH_AUTH_SOCK environment variable is set on Posix compatible systems. For Microsoft Windows, ensure the SSH Agent system service is running. Keeper's connect command uses SSH Agent to temporarily store the private key used in the connection session. After the session disconnects, the private key is removed.
To utilize SSH Agent for connecting to a remote system, simply add one additional custom field to the Vault record:
Custom Field Name
Custom Field Value
connect:xxx:ssh-key:yyy
${zzz} ${password}
or
Custom Field Name
Custom Field Value
connect:xxx:ssh-key:yyy
${body:zzz} ${password}
Here, xxx is the friendly name of the connection. yyy is an optional key name used with the SSH agent. zzz references either custom field (see the first screenshot below) or file attachment (see the second screenshot)
In this example, the first parameter references the private key, the second parameter references the passphrase used to encrypt the private key.
${password} references the value stored in the record's Password field.
Here's a screenshot of a Keeper Vault record where the private key is stored in a custom field:
Here's a screenshot of a Keeper Vault record where the private key is stored in a file attachment:
Connecting to the remote system using an encrypted passphrase is easy. In our example, to connect to the server called "example2":
1
My Vault> connect example2
2
Connecting to example2...
3
4
Last login: Sat Sep 28 00:25:34 2019 from 12.23.34.5
7
Connection to example2 closed.
8
My Vault>
Copied!
Postgres connection using environment variables capabilities
Commander can set environment variables for the connect application.
Custom Field Name
Custom Field Value
connect:xxx:env:PGPASSWORD
${password}
Here, xxx is the friendly name of the connection.
${password} references the value stored in the record's Password field
Keeper Vault Record
Combining SSH Key Rotation with Connection
Utilizing the sshkey rotation plugin, Commander can also rotate the SSH private/public key pair.
The same vault record can be created that provides connection capability as well as SSH key rotation.
Keeper vault record that is configured for both connection and key rotation
To rotate the password from the Commander interface, simply use the 'rotate' command:
1
My Vault> rotate example2
2
Rotating with plugin sshkey
3
Update record successful for record_uid=2TlvQqNe7YSF9idGQ
4
Rotation successful for record_uid=2TlvQqNe7YSF9idGQ
5
6
My Vault>
Copied!
Note: The 'rotate' command accepts either Record UID or friendly name (specified with the cmdr:plugin:xxx custom field where xxx is the friendly name)
Below is a summary of the fields required to perform connection and rotation:
Name
Field
Comments
Login
Login
Set to the username, e.g. 'ec2-user' in the 'Login' field.
Password
Password
Set to the passphrase to encrypt the SSH key in the 'Password' field
cmdr:plugin:xxx
Custom
sshkey "xxx" is the friendly name which can be referenced in command line 'rotate' and 'connect' calls.
cmdr:host
Custom
(Optional, Multiple) Set to hostname or IP address of target server
cmdr:rules
Custom
connect:xxx:ssh-key
Custom
${cmdr:private_key} ${password} where "xxx" is the friendly name
connect:xxx
Custom
ssh ${login}@${cmdr:host} for a basic SSH connection but can be customized
cmdr:ssh_public_key
Custom
Public key in SSH format. This key is uploaded to the target system.
cmdr:rsa_public_key
Custom
Public key in RSA format.
cmdr:private_key
Custom
Private key encrypted with the passkey stored in the 'Password' field.
Important: Please read the SSH Key Rotation Doc on how to perform the initial setup of SSH keys in the vault record. Once set up the first time, all connection and rotations will be seamless.

Remote Desktop (RDP) Launcher Example

To connect seamlessly to a remote windows server using the standard Microsoft Remote Desktop application, Keeper executes a command pre-login, login, and post-login via system calls. In this example, the "pre-login" command stores the password temporarily in the Windows credential manager for the current user. The "login" command initiates the connection using an RDP template file and the stored credentials (the RDP template file is optional). Upon session termination, the "post login" command is executed that deletes the password from the credential manager.
Vault Record Fields:
Custom Field Name
Custom Field Value
connect:rdp_demo:description
Remote connection to Demo Server
connect:rdp_demo:pre
cmdkey /generic:12.34.56.78 /user:${login} /pass:${password} > NUL
connect:rdp_demo
mstsc ${file:Default.rdp}
connect:rdp_demo:post
cmdkey /delete:12.34.56.78 > NUL
File Attachment
Default.rdp
Keeper Vault Record
Note: The Default.rdp file is saved from Remote Desktop Connection with your desired configuration.
Supported parameter substitutions
You can customize the commands with parameter substitutions described below:
1
${user_email}: Email address of Keeper user
2
${login}: Record login field
3
${password}: Record password field
4
${text:<name>}: Custom per-user variable, prompted for value, not shared
5
${mask:<name>}: Custom per-user variable, prompted for value, not shared
6
${file:<attachment_name>}: Stored in temp file during use and deleted after connection close,
7
${body:<attachment_name>}: Raw content of the attachment file.
Copied!
Listing all available connections
To get a list of available connections, type:
1
My Vault> connect
Copied!
Initiating connections
To initiate a connection (using the SSH/RDP examples) from Commander simply type:
1
My Vault> connect my_server
Copied!
or
1
My Vault> connect rdp_demo
Copied!
Alternatively, you can execute the connection from the terminal without the interactive shell:
1
$ keeper connect my_server
Copied!
Notes:
  • A single vault record can contain any number of connection references, or the connections can be separated one per record.
  • If a system command requires user interaction (e.g. if a passphrase is included on an SSH key file), Commander will prompt for input.
  • Just like any other Keeper vault record, a connection record can be shared among a team, shared to another Keeper user or remain private.
Last modified 1mo ago