⚠️ Warning :
This script is not tested enough to be considered as stable, use with precaution.
I'm not responsible if my code breaks your machine.
This repository is a workaround of Keeper Commander CLI limitation with his implementation of ssh-agent.
See : Keeper-Security/Commander#965
- Runs
keeper ssh-clientas a background service usingscreen. - Handles login flow with
zenity. - Auto register
SSH_AUTH_SOCKinto~/.bashrcto use ssh-agent in every programs. - Auto extract public keys files (in
~/.ssh/keeper/) for each ssh private keys in your Keeper Vault. - Stores keeper config file into Gnome Keyring (libsecret).
- Keeper Commander CLI : How to install
- bash (GNU) : How to install
- screen (GNU) : How to install
- expect (sgolovan@debian.org) : How to install
- Gnome Keyring / libsecret : Should already be installed on your distro
| OS | Commander 16.X |
|---|---|
| Fedora 39 (GNOME) | ✅ |
| Fedora 40 (GNOME) | ✅ |
- ✅ : Working and fully tested.
- 🟧 : Working but not fully tested.
- ❔ : Not tested.
- ❌ : Tested and does not work.
You can use this script without a service :
./keeper-ssh.sh start: Start daemon./keeper-ssh.sh stop: stop daemon
Install service with the following command :
./keeper-ssh.sh install-service
You should open a new terminal for ssh-agent socket to be used.
Then run ssh-add -l and you should see all your ssh keys.
Remove service with the following command :
./keeper-ssh.sh remove-service
If you start the deamon and no user is logged, it will open a prompt.
But if you love unattended install like me, you can use the login command before starting the deamon.
./keeper-ssh.sh login <email> <password> <server>
When you add or remove keys from your vault, you need to re-run the script / restart the service.
- Standalone :
./keeper-ssh.sh stop && ./keeper-ssh.sh start - Service :
systemctl --user restart keeper-ssh
For now this script only support email-send 2FA.
On first login you should recieve an email, click Approve Device and Location.
One workaround, is to login manually using Unattended login (see above) and then run the keeper-ssh script.
In Keeper you have a main-server and dev-server ssh keys
~/.ssh/config :
Host main-server.example.com
ForwardAgent yes
IdentityFile ~/.ssh/keeper/main-server.pub
Host dev-server.example.com
ForwardAgent yes
IdentityFile ~/.ssh/keeper/dev-server.pub
Then when you do : ssh user@main-server.example.com
ssh-agent will only return main-server private key and not try dev-server key.
In the same way of ~/.ssh/config, you can use your public key to sign commit on git :
~/.gitconfig :
[gpg]
format = ssh
[user]
signingkey = ~/.ssh/keeper/user.pub