The MCP SSH Orchestrator provides secure, policy-governed SSH access for AI assistants to manage infrastructure with zero-trust architecture and comprehensive audit logging.
Core Capabilities:
Discovery & Inventory: List configured hosts (
ssh_list_hosts), get detailed host information with tags, aliases, and credentials (ssh_describe_host), and verify orchestrator health (ssh_ping)Command Planning: Test commands against security policies before execution using dry-run mode (
ssh_plan)Command Execution: Run commands on individual servers (
ssh_run) or across server groups by tags (ssh_run_on_tag) with policy enforcement and timeout protectionAsynchronous Task Management: Start long-running background tasks (
ssh_run_async), monitor status and progress with real-time output streaming (ssh_get_task_status,ssh_get_task_output), retrieve final results (ssh_get_task_result), and cancel running operations (ssh_cancel,ssh_cancel_async_task)Configuration Management: Hot reload servers, credentials, and policies without service restart (
ssh_reload_config)
Security Features:
Deny-by-default policy enforcement with command whitelisting
IP allowlist validation and network isolation
Command pattern matching to block dangerous operations (rm -rf, dd, privilege escalation, lateral movement)
Host key verification to prevent MITM attacks
Comprehensive JSON audit logs with timestamps, command hashes, and execution metadata
Resource limits with built-in timeouts and cancellation support
Use Cases: Automate server maintenance, manage homelab infrastructure (Proxmox, Docker, NAS), conduct auditable incident response, enable AI-powered DevOps workflows, and provide controlled infrastructure access for platform engineering teams.
Supports containerized deployment with security isolation, resource limits, and non-root execution for safe SSH orchestration operations.
Enables log inspection and monitoring of nginx servers, including error log analysis and service management across web server fleets.
Allows safe management and monitoring of Proxmox virtualization hosts, including disk usage checks and routine maintenance tasks with policy-controlled access.
Enables secure management and monitoring of TrueNAS storage systems through SSH with policy-based access controls.
What Problem Does This Solve?
Imagine this: Your AI assistant (Claude, ChatGPT, etc.) can access your servers, but you're terrified of what it might do. rm -rf /? Delete your databases? Change firewall rules?
Now imagine this: Your AI has governed, auditable access to your infrastructure. It can check logs, restart services, and manage your fleet, but only if your security policies allow it.
That's exactly what MCP SSH Orchestrator provides: the power of AI-driven server management with deny-by-default access control, IP allowlists, host key verification, and comprehensive audit logging backed by declarative YAML policy-as-code (.
Why This Matters
Zero-Trust Security Model
Deny-by-default: Nothing runs unless explicitly allowed
Network controls: IP allowlists prevent lateral movement
Command whitelisting: Only approved commands can execute
Declarative policy-as-code: Versioned YAML files define hosts, credentials, and allowed commands
Comprehensive audit trails: Every action is logged in JSON
Prevents Common Attack Vectors
Dangerous commands blocked:
rm -rf,dd, file deletionsNetwork isolation: Servers can't access external internet
No privilege escalation: Runs as non-root in containers
Resource limits: CPU and memory caps prevent DOS
Production-Ready Audit & Security
OWASP LLM Top 10 protected: Mitigates LLM07 (Insecure Plugin Design), LLM08 (Excessive Agency), LLM01 (Prompt Injection)
MITRE ATT&CK aligned: Prevents T1071 (Application Layer Protocol), T1659 (Content Injection)
Structured JSON audit logs: Complete audit trail with timestamps, hashes, and IPs
Forensics ready: Command hashing, IP tracking, detailed metadata
Real-time monitoring: Progress logs for long-running tasks
Who Is This For?
Homelab Enthusiasts
Automate routine server maintenance with AI
Safely manage Proxmox, TrueNAS, Docker hosts
Get help troubleshooting without losing SSH security
Security Engineers
Audit and control AI access to infrastructure
Implement zero-trust principles with declarative policy-as-code configs
Meet compliance requirements with structured logging
DevOps Teams
Let AI handle routine tasks: log checks, service restarts, updates
Manage fleets of servers through conversational interface
Reduce manual toil while maintaining security standards
Platform Engineers
Enable AI-powered infrastructure management
Provide secure self-service access to developers
Bridge the gap between AI and infrastructure securely
Real-World Use Cases
Scenario 1: Homelab Automation (Homelab Enthusiasts)
You say: "Claude, my Proxmox host is running slow. Can you check disk usage and memory on all my VMs?"
What happens
Policy allows
df -handfree -mon Proxmox hostsNetwork check: Private IP allowlist permits access
Tag-based execution checks all hosts tagged
proxmoxCommands execute safely with no destructive operations
Complete audit trail stored in JSON logs
Scenario 2: Incident Response (DevOps Teams)
You say: "We're seeing 500 errors. Check nginx logs across all production web servers and show me the last 100 error lines."
What happens
Tag-based execution:
tail -n 100 /var/log/nginx/error.logruns on allweb-prodserversNetwork isolation enforced: No external API calls or egress allowed
Real-time progress logs stream via MCP context events
Structured output aggregates results for quick triage
Full audit trail with timestamps for post-incident review
Scenario 3: Fleet-Wide Maintenance (Platform Engineers)
You say: "Update system packages on all staging servers, but show me what would change first before running the upgrade."
What happens
Use
ssh_planto previewapt list --upgradableacrossstagingtagged hostsReview dry-run output to see pending updates
Policy validates
apt update && apt upgrade -yis allowed on stagingTag-based execution runs upgrade on all staging servers in parallel
Audit logs track which servers were updated and when
Quick Start
1. Prepare local configuration (one-time)
If you prefer to lay things out manually, follow the steps below.
2. Launch the orchestrator container
Restart later with docker start mcp-ssh-orchestrator. Prefer disposable containers? Use docker run -i --rm ... instead.
3. Connect your MCP client
Cursor: Add to
~/.cursor/mcp.json
Claude Desktop (macOS): Update
~/Library/Application Support/Claude/claude_desktop_config.json
(Windows path: %APPDATA%\\Claude\\claude_desktop_config.json.)
More examples (Docker Desktop, multi-environment, SDK usage) live in the Integrations guide.
4. Test the connection
Cursor/Claude should now show the orchestrator as connected. Jump to the Usage Cookbook for guided scenarios.
How Security Works (The Technical Details)
Policy-as-code workflow: config/servers.yml, config/credentials.yml, and config/policy.yml are parsed on startup, enforced during every ssh_* tool invocation, and mirrored in the structured audit logs so the same declarative files you review in Git gate what your AI can execute.
Defense-in-Depth Architecture
What Gets Blocked
What Gets Allowed (Examples)
Protection Against Real Threats
MCP SSH Orchestrator directly addresses documented vulnerabilities in the MCP ecosystem:
CVE-2025-49596: Localhost-exposed MCP services → Mitigated with stdio-only transport
CVE-2025-6514: Command injection in MCP servers → Mitigated with policy-based validation
43% of MCP servers have command injection flaws → Zero-trust security model
Full Security Model Documentation | Security Risks Analysis
Documentation
Complete Documentation Wiki
Section | What You'll Learn |
Practical examples and common workflows | |
How it works under the hood | |
Zero-trust design and controls | |
Setting up hosts, credentials, policies | |
Logging, monitoring, compliance | |
Production setup guide |
Supply Chain Integrity
Signed release artifacts: Every tarball/zip in GitHub Releases ships with a detached GPG signature produced by the maintainer key (openpgp4fpr:6775BF3F439A2A8A198DE10D4FC5342A979BD358). Import the key and verify before unpacking:
Cosign-signed container images: The images under ghcr.io/samerfarida/mcp-ssh-orchestrator are signed via Sigstore keyless signing in the release workflow. Verify the signature (and optional attestations) before deploying:
Image digests and signatures are published with every tag in GitHub Packages so you can pin exact references when promoting builds between environments (package feed).
OpenSSF Scorecard: The repository maintains an automated Scorecard run to track security posture across dependencies, build settings, branch protections, and more (scorecard summary).
What Can AI Do With This? (MCP Tools)
Your AI assistant gets 13 powerful tools with built-in security:
Discovery & Planning
ssh_list_hosts- See all available serversssh_describe_host- Get host details and tagsssh_plan- Test commands before running (dry-run mode)
Execution
ssh_run- Execute single command on one serverssh_run_on_tag- Run command on multiple servers (e.g., all "web" servers)ssh_run_async- Start long-running tasks in background
Monitoring & Control
ssh_get_task_status- Check progress of async tasksssh_get_task_output- Stream output in real-timessh_get_task_result- Get final result when donessh_cancel- Stop a running synchronous task safelyssh_cancel_async_task- Stop a running async task safely
Management
ssh_reload_config- Update hosts/credentials without restartssh_ping- Verify connectivity to a host
MCP Resources + Context
ssh://hosts– discover sanitized host inventory (alias, tags, description, credential presence)ssh://host/{alias}– inspect a single host without exposing credentialsssh://host/{alias}/tags– fetch tag-only view for planning tag executionsssh://host/{alias}/capabilities– derived policy summary, limits, and sample command allowances per host
Context-aware logging: Streams lightweight ctx.debug / ctx.info events (task start, completion, cancellations) in supported clients for ssh_run, ssh_run_on_tag, config reloads, and async task polling—all without exposing raw commands or secrets.
LLM-friendly hints: Policy/network denials (and ssh_plan previews) include helpful hints so assistants automatically retry with ssh_plan, consult the orchestrator prompts, or ask whether a policy/network update is appropriate instead of looping on blocked commands.
Complete Tools Reference with Examples
Learn More
Key Differentiators
Production-Ready Security: OpenSSF Scorecard 7.5+ score
Zero-Trust Architecture: Deny-by-default, allow-by-exception
OWASP LLM Top 10 Protected: Mitigates insecure plugin design, excessive agency, prompt injection
MITRE ATT&CK Aligned: Prevents content injection and unauthorized protocol usage
Security-Focused: Built on security-first principles against real CVEs (CVE-2025-49596, CVE-2025-6514)
Easy Integration: Works with Claude, ChatGPT, and any MCP client
Open Source: Apache 2.0 licensed, community-driven
What Users Are Saying
"Finally, I can let Claude manage my Proxmox cluster without fear!" - Homelab Admin
"This is what infrastructure-as-code should have been. Declarative security for AI access." - Platform Engineer
"The structured audit logs make incident response so much easier." - Security Engineer
Contributing
We welcome contributions! See our Contributing Guide for:
Development setup
Code of conduct
How to submit PRs
Architecture decisions
License
Apache 2.0 - See LICENSE for details.
Links
GitHub Repository - Star us on GitHub!
Issue Tracker - Report bugs or request features
CHANGELOG - Version history and release notes
MCP Specification - Learn about MCP
Docker MCP Security Guide - Security best practices