Logging in
Information and detail around authentication to the Commander CLI

First Login on a New Device

To login to Commander for the first time, click the Keeper Commander icon or open a shell and type:
1
$ keeper shell
Copied!
Once the shell is open, begin the login by typing login. If this is your first login, you will need to follow the device approval workflow. This is only needed once, as an extra layer of security to trust the device you are on.
First Login Example:
1
Not logged in> login
2
... User(Email): [email protected]
3
Logging in to Keeper Commander
4
5
Device Approval Required
6
Approve by selecting a method below:
7
"email_send" to send email
8
"email_code=<code>" to validate verification code sent via email
9
"keeper_push" to send Keeper Push notification
10
"2fa_send" to send 2FA code
11
"2fa_code=<code>" to validate a code provided by 2FA application
12
"approval_check" check for device approval
13
Type your selection:
14
Copied!
    If you wish to approve via email:
      Type email_sendor es
      Enter the security code via email_code=<code>
    If you wish to approve via Keeper Push:
      Type keeper_push
      Approve via push
      Type approval_check
    If you wish to approve via 2fa code:
      Input 2fa_send
      Input 2fa_code=<code>
Once complete you will receive the following message:
1
Device was approved
Copied!

Logging in with a Master Password

After device approval, you will immediately move to the login process, or if you previously approved the device, this will be the first step.
Login Example (approved device):
1
Not logged in> login
2
... User(Email): [email protected]
3
Logging in to Keeper Commander
4
Enter password for [email protected]
5
Password: *********
6
7
Successfully authenticated with Login V3 (Password)
8
Syncing...
9
Decrypted [23] record(s)
10
My Vault>
Copied!

Logging in With 2FA

If you have 2FA enforced on your account, you will be required to pass the 2FA step before logging in with a Master Password. Your login flow in commander will follow the same rules you have for logging into the Vault.
Login Example (2FA):
1
Not logged in> login
2
... User(Email): [email protected]
3
Logging in to Keeper Commander
4
This account requires 2FA Authentication
5
U2F (FIDO Security Key)
6
Send SMS Code
7
3. TOTP (Google Authenticator) [ ENABLED ]
8
DUO
9
Selection:
Copied!
Each 2FA method that is enabled will have a number next to it.
In this example, only TOTP is enabled, so 3 would need to be entered, followed by the TOTP code. Enter the corresponding number to proceed:
1
Selection: 3
2
3
Enter 2FA Code or Duration: 2fa_duration=forever
4
Enter 2FA Code or Duration: 123456
Copied!
By default, Keeper Commander prompts for 2FA code on every login. To store 2FA authentication for this device either for 30 days or forever, type one of the following before entering the code:
    2fa_duration=30_days to prompt for 2FA every 30 days, or...
    2fa_duration=forever to never prompt again on this device

Enterprise SSO Login

Customers who normally login to their Keeper Vault using Enterprise SSO Login (SAML 2.0) can also login to Keeper Commander using a Master Password. To make use of this capability, it must be enabled by the Keeper Administrator and then configured by the user. The steps are below:
(1) Login to the Admin Console
(2) Enable SSO Master Password Policy
For the User/Role who will be accessing Keeper Commander, open the Role Enforcement Policy setting screen. Enable the option "Allow users who login with SSO to create a Master Password"
SSO Master Password Policy
(3) Login to the End-User Vault using SSO
(4) Create a Master Password
Visit the Settings > General screen and setup a Master Password
After the Master Password is created, you are now able to login to Keeper Commander.

Commander Configuration File

When you login to Commander for the first time, a config.jsonfile is created, if one does not exist. By default, the config file is created at ~/.keeper on MacOS and Linux, and at C:\Users\.keeper on Windows.

Config File Example

1
{
2
"server":"https://keepersecurity.eu/",
3
4
"password":"your_password_here",
5
"private_key": "yaeK4jMeIGNkSR2pi4xf2XGmYM094YMUoE8-QEW9CAA",
6
"device_token": "g6RDMxr1t-bcVdBeBpz-xQ",
7
"mfa_duration": "forever",
8
"debug":false,
9
"plugins":[],
10
"commands":[],
11
"timedelay":0
12
}
Copied!

Config File Options

    server Keeper data center region
    Commander defaults to the US region, so customers hosted in other regions will need to specify a server in the config.
    Region
    Property Setting for "server"
    US
    https://keepersecurity.com
    EU
    https://keepersecurity.eu
    AU
    https://keepersecurity.com.au
    GOV
    https://govcloud.keepersecurity.us
    debug enable or disable detailed crypto and network logging
      set to true or false
    plugins Set which password rotation plugin will be loaded.
      Learn more about password rotation plugins for Commander.
    commands Comma-separated list of Keeper commands to run
    timedelay Run the specified commands every X seconds.
      example: "timedelay":600 will run the commands every 10 minutes.
    private_key Device private key generated by Commander on a new device. This key is used to encrypt and decrypt vault data.
    device_token Device token generated by the backend for every new device. The device token is used to uniquely identify the device, and it controls the session behavior.

Running Commands from the Configuration File

Using the commandsfield allows for predetermined commands to be run on login.
Enter a comma-separated list of Keeper Commander commands to be run. Example:
1
config.json
2
{
3
...
4
"commands": ["sync-down", "file-report -d"]
5
...
6
}
Copied!
In this example, it will sync, and then download a report of the available files in the vault.

Configuration File Location

If you start Commander from the binary installer, the config file will be located in the user's home directory in a folder called ".keeper".
    On Mac environments, the configuration file is located in ~/.keeper/config.json
    In Windows environments, the configuration file is located in /Users/{Username}/Documents/.keeper/config.json
If you use Commander from a PIP3 or source installation, the configuration file will be created in the current folder where the Commander executable is started from.
You can specify the config file to use when launching Commander, for example:
1
$ keeper shell --config /path/to/config.json
Copied!

Authenticating on Multi-Server Environments

In an environment with multiple servers or dynamic servers, you can use the same config.json file for each instance as long as all of the fields are populated, and the device identifier has been "approved".
Example config.json file:
1
{
2
"user": "[email protected]",
3
"password": "RANDOM_LONG_PASSWORD",
4
"server": "https://keepersecurity.com",
5
"private_key": "yaeK4jMeIGNkSR2pi4xf2XGmYM094YMUoE8-QEW9CAA",
6
"device_token": "g6RDMxr1t-bcVdBeBpz-xQ"
7
}
Copied!
As long as you have performed a device approval step at least one time, this configuration file can be loaded on any number of servers.
If you plan to distribute this file to multiple instances, we recommend protecting this file through secure storage facilities provided by your cloud infrastructure. We also recommend assigning the user account to a Role Enforcement policy on the Keeper Admin Console that is locked down based on IP range.

Persistent Login

Persistent Login allows a Commander device to authenticate to Keeper without populating the "password" in the configuration file. In order to enable this feature, the user must register the device and turn on the persistent login setting. Once that's done the next time when user logs in, the session will be resumed and the user will be automatically logged in. Several tokens are stored in the config.json file in order to resume a session automatically.
Commands to enable persistent login:
1
My Vault> this-device persistent-login on
2
My Vault> this-device ip-auto-approve on
3
My Vault> this-device timeout 432000
Copied!
It is possible to login on another device (such as a server) without storing the Master Password in the config.json file. Example file:
1
{
2
"user": "[email protected]",
3
"private_key": "yaeK4jMeIGNkSR2pi4xf2XGmYM094YMUoE8-QEW9CAA",
4
"device_id": "IqpZaJj5KYLLLb_vTwn_dhOXytakXU6mFNQJfHFYmSxoqg",
5
"device_token": "g6RDMxr1t-bcVdBeBpz-xQ"
6
}
Copied!
You can create any number of persistent login sessions. However, the persistent session option is not intended for dynamic multi-server environments. If you share the exact configuration file on multiple servers, persistent login will fail when attempting to login to the second server.
For multi-server dynamic environments, please refer to the prior section of using a fully populated config file that is distributed to each instance.

Batch Mode

You can batch execute a series of commands and pipe the file to STDIN of Commander. For example, create a text file called test.cmd with the following lines:
1
add [email protected] --pass=somemasterpass --url=https://google.com --force "Some Record Title"
2
upload-attachment --file="/path/to/some/file.txt" "Some Record Title"
3
share-record --email="[email protected]" --write "Some Record Title"
Copied!
To run this file in a batch mode:
1
cat test.cmd | keeper --batch-mode -
Copied!
or
1
keeper test.cmd
Copied!
Handling Errors
The batch execution is aborted if some command returns failure. Use @ in front of the command to suppress the possible command error.
1
add [email protected] --pass=somemasterpass --url=https://google.com --force "Some Record Title"
2
@upload-attachment --file="/path/to/some/file.txt" "Some Record Title"
3
share-record --email="[email protected]" --write "Some Record Title"
Copied!
Batch Mode in Windows
Following example shows how to execute three commands using Windows command line:
1
(echo ls -l && echo whoami && echo tree) | keeper --batch-mode -
Copied!
Last modified 24d ago