This repository works around a limitation in Keeper Commander CLI's ssh-agent implementation.
See Keeper-Security/Commander#965.
ℹ️ Note Keeper's Desktop app does have its own built-in ssh-agent, but it's only available with a KeeperPAM subscription. Keeper Commander, on the other hand, is free — hence this workaround.
- 🖥️ Runs
keeper ssh-agentas a background service usingscreen. - 🔑 Handles the login flow with
zenity. - 🔗 Automatically registers
SSH_AUTH_SOCKin~/.bashrcso ssh-agent is available in every program. - 📤 Automatically extracts a public key file (in
~/.ssh/keeper/) for each SSH private key in your Keeper Vault.
- 🚫 This script never interacts with your SSH keys themselves (feel free to read the code if you have any doubt).
- 🔐 Your Keeper credentials are handled by Keeper Commander and stored in your OS's secure wallet — see Persistent Login Sessions.
| Version | Compatibility |
|---|---|
| 16.X | ❌ |
| 17.X | ❌ |
| 18.X | ✅ |
- ✅ Working and fully tested
- 🟧 Working but not fully tested
- ❔ Not tested
- ❌ Tested and does not work
You can get the code either by downloading a release or by cloning the repository.
Option 1 — GitHub release:
Grab the latest release from the GitHub releases page, then extract it:
tar -xzf keeper-ssh-agent-daemon-<version>.tar.gz
cd keeper-ssh-agent-daemon-<version>Option 2 — Git clone:
git clone https://github.com/AlexisPPLIN/keeper-ssh-agent-daemon.git
cd keeper-ssh-agent-daemonUse the script without a service:
./keeper-ssh.sh start # Start daemon
./keeper-ssh.sh stop # Stop daemon./keeper-ssh.sh install-serviceOpen a new terminal so the ssh-agent socket is picked up, then run:
ssh-add -lYou should see all your SSH keys listed. 🎉
./keeper-ssh.sh remove-serviceIf you start the daemon while no user is logged in, it opens a login prompt. For unattended setups, log in before starting the daemon instead:
./keeper-ssh.sh login <email> <password> <server>After adding or removing keys in your vault, restart the script/service:
- Standalone:
./keeper-ssh.sh stop && ./keeper-ssh.sh start - Service:
systemctl --user restart keeper-ssh
Only email-send 2FA is supported for now.
On first login, you'll receive an email — click Approve Device and Location.
A workaround is to log in manually via Unattended login first, then run the keeper-ssh script.
Say your Keeper Vault has a main-server and a dev-server SSH key. In ~/.ssh/config:
Host main-server.example.com
ForwardAgent yes
IdentityFile ~/.ssh/keeper/main-server.pub
Host dev-server.example.com
ForwardAgent yes
IdentityFile ~/.ssh/keeper/dev-server.pub
Running ssh user@main-server.example.com will make ssh-agent offer only the main-server key, without trying dev-server.
Similarly, you can use your public key to sign Git commits. In ~/.gitconfig:
[gpg]
format = ssh
[user]
signingkey = ~/.ssh/keeper/user.pub