MCP SSH Orchestrator

SECURITY.md•24.8 KiB

# Security Guide This document provides security guidance for deploying and operating mcp-ssh-orchestrator in production environments. ## Threat Model ### Assets - **SSH Private Keys**: Used for authentication to target hosts - **Credentials**: Passwords, passphrases, and other secrets - **Target Hosts**: SSH servers under management - **Command History**: Audit logs of executed commands - **Configuration**: Policy rules and host inventory ### Threats 1. **Unauthorized Command Execution**: Attacker gains ability to run arbitrary commands 2. **Credential Theft**: SSH keys or passwords are exposed 3. **Lateral Movement**: Attacker pivots from compromised host to others 4. **Data Exfiltration**: Sensitive output is leaked 5. **Denial of Service**: Resource exhaustion or service disruption 6. **Policy Bypass**: Circumventing allow/deny rules ### Mitigations All threats are addressed through defense-in-depth controls documented below. ## Authentication & Credentials ### Path Traversal Protection **Security Enhancement:** All credential and key path resolution includes path traversal protection to prevent unauthorized file access. #### Secret Path Protection Secret names and paths are validated to prevent directory traversal attacks: 1. **Secret Name Validation**: Only alphanumeric characters, dashes, and underscores are allowed ```yaml # ✅ Valid secret names password_secret: "prod_password" password_secret: "key-passphrase-2024" password_secret: "admin_password_1" # ❌ Invalid (will be rejected) password_secret: "../etc/passwd" # Path traversal password_secret: "/absolute/path" # Absolute path password_secret: "secret.name" # Special characters ``` 2. **Path Normalization**: All paths are normalized and validated to stay within `/app/secrets` - Relative paths are resolved relative to secrets directory - Absolute paths are rejected for secrets - Paths containing `../` or `..\\` are blocked 3. **Security Event Logging**: Path traversal attempts are logged for monitoring: ```json { "level": "error", "kind": "security_event", "type": "path_traversal_attempt", "secret_name": "../etc/passwd", "reason": "path_outside_allowed_directory" } ``` #### SSH Key Path Protection SSH key paths include similar protections: 1. **Traversal Pattern Detection**: Paths containing `..` patterns are rejected ```yaml # ✅ Valid key paths key_path: "id_ed25519" key_path: "prod_key" key_path: "/app/keys/id_ed25519" # Absolute within keys_dir # ❌ Invalid (will be rejected) key_path: "../outside_key" # Path traversal key_path: "/etc/passwd" # Outside keys_dir key_path: "key/../../etc/passwd" # Encoded traversal ``` 2. **Absolute Path Validation**: Absolute paths must be within the configured `keys_dir` - Paths outside `/app/keys` (or custom keys_dir) are rejected - Prevents accessing keys from other locations 3. **Security Event Logging**: All path traversal attempts are logged with full context **Effect**: Prevents reading files outside intended directories, blocking common path traversal attack vectors. #### File Type Validation All resolved paths are validated to ensure they are regular files: 1. **Directory Rejection**: Paths pointing to directories are rejected ```yaml # ❌ Invalid (will be rejected) password_secret: "subdirectory" # Points to a directory, not a file ``` 2. **Symlink Rejection**: Symbolic links are rejected for security ```yaml # ❌ Invalid (will be rejected) password_secret: "symlink_secret" # Points to a symlink, not a regular file ``` **Why reject symlinks?** Symlinks can be manipulated to point outside the allowed directory or to sensitive files, creating security risks. 3. **Regular File Requirement**: Only regular files within the allowed directory are accepted - Non-existent files are allowed for SSH keys (validated when used) - Secrets must exist as regular files (immediate read required) - All paths must stay within their designated directories 4. **Security Event Logging**: File validation failures are logged: ```json { "level": "error", "kind": "security_event", "type": "file_validation_failed", "file_path": "/app/secrets/subdirectory", "reason": "path_is_directory" } ``` **Effect**: Prevents accessing directories or symlinks that could lead to security vulnerabilities or unauthorized access. #### YAML File Size Limits All YAML configuration files are validated for size before loading to prevent resource exhaustion attacks: 1. **Size Limit**: Maximum file size of 10MB per YAML file - Applies to: `servers.yml`, `credentials.yml`, `policy.yml` - Prevents resource exhaustion via oversized configuration files - Files exceeding limit are rejected with security event logging 2. **Size Validation**: File size is checked using `os.path.getsize()` before parsing - Prevents loading files into memory if they exceed the limit - Returns empty dictionary on size limit violation - No YAML parsing performed if file is too large 3. **Security Event Logging**: Size limit violations are logged: ```json { "level": "error", "kind": "security_event", "type": "file_size_limit_exceeded", "path": "/app/config/servers.yml", "file_size": 10485761, "max_size": 10485760, "reason": "yaml_file_too_large" } ``` 4. **Normal Operation**: Files at or below the 10MB limit load normally - 10MB is sufficient for typical configuration files - Large configuration files (multiple thousands of hosts) are supported - Prevents abuse while allowing legitimate use cases **Effect**: Prevents resource exhaustion attacks via oversized YAML files that could consume excessive memory or processing time. #### Input Validation for User-Controlled Parameters All user-controlled parameters are validated before processing to prevent injection attacks and resource exhaustion: 1. **Alias Validation**: - Length limit: 100 characters - Allowed characters: alphanumeric, dash (`-`), underscore (`_`), dot (`.`) - Rejects empty values - Applied to: `ssh_describe_host`, `ssh_plan`, `ssh_run`, `ssh_run_async` 2. **Command Validation**: - Length limit: 10,000 characters - Rejects null bytes (`\x00`) - common injection vector - Rejects control characters (except newline `\n`, tab `\t`, carriage return `\r`) - Allows legitimate multi-line commands - Applied to: `ssh_plan`, `ssh_run`, `ssh_run_on_tag`, `ssh_run_async` 3. **Tag Validation**: - Length limit: 50 characters - Allowed characters: alphanumeric, dash (`-`), underscore (`_`), dot (`.`) - Rejects empty values - Applied to: `ssh_run_on_tag` 4. **Task ID Validation**: - Length limit: 200 characters - Allowed characters: alphanumeric, colon (`:`), dash (`-`), underscore (`_`) - Format validation: expected pattern `alias:hash:timestamp` - Applied to: `ssh_cancel`, `ssh_get_task_status`, `ssh_get_task_result`, `ssh_get_task_output`, `ssh_cancel_async_task` 5. **Security Event Logging**: Invalid input attempts are logged: ```json { "level": "error", "msg": "security_event", "type": "null_byte_injection_attempt", "field": "command" } ``` **Effect**: Prevents injection attacks (null bytes, control characters) and resource exhaustion (length limits) via malformed user inputs. #### Input Length Limits for Configuration Parameters String parameters in configuration files have length limits to prevent resource exhaustion: 1. **Secret Names** (`credentials.yml`): - Maximum length: 100 characters - Validated in `_resolve_secret()` function - Rejects names exceeding limit with security event logging 2. **SSH Key Paths** (`credentials.yml`): - Maximum length: 500 characters - Validated in `_resolve_key_path()` function - Rejects paths exceeding limit with security event logging 3. **MCP Tool Parameters** (from PR6): - **Alias**: Maximum 100 characters - **Command**: Maximum 10,000 characters - **Tag**: Maximum 50 characters - **Task ID**: Maximum 200 characters 4. **Length Validation Order**: Length validation occurs before other validations (character validation, path traversal checks) to prevent processing of oversized inputs. 5. **Security Event Logging**: Length limit violations are logged: ```json { "level": "error", "kind": "security_event", "type": "input_length_limit_exceeded", "field": "secret_name", "length": 150, "max_length": 100, "reason": "secret_name_too_long" } ``` **Effect**: Prevents resource exhaustion attacks via oversized string inputs in configuration files and user-controlled parameters. #### DNS Rate Limiting DNS resolution is rate-limited and cached to prevent DNS-based DoS attacks: 1. **Rate Limiting**: - Maximum 10 DNS resolutions per second per hostname - Per-hostname rate limiting (different hostnames have separate limits) - Time-window based (sliding 1-second window) - Exceeding limit returns empty list (no IPs resolved) 2. **Result Caching**: - DNS results cached for 60 seconds (TTL) - Cached results returned immediately without DNS lookup - Reduces load on DNS servers - Caches both successful and failed resolutions (prevents repeated lookups for invalid hostnames) 3. **Timeout Protection**: - DNS resolution timeout: 5 seconds - Prevents hanging on slow or unresponsive DNS servers - Failed resolutions return empty list 4. **Rate Limit Logging**: Rate limit violations are logged: #### Command Denial Bypass Prevention Command denial logic has been enhanced to prevent bypass attempts via obfuscation: 1. **Command Normalization**: - Removes single and double quotes from commands - Removes escaped characters (e.g., `\ ` becomes space) - Normalizes whitespace (collapses multiple spaces/tabs to single space) - Applied before checking against `deny_substrings` list 2. **Dual Checking**: - Checks original command string (maintains existing behavior) - Checks normalized command string (catches obfuscated bypass attempts) - Both checks must pass for command to be allowed 3. **Token-Based Matching**: - Splits normalized command into tokens - Checks for exact token matches against deny patterns - Prevents partial bypasses (e.g., `rm -rf /var` vs `rm -rf /`) 4. **Bypass Attempt Detection**: Commands that would bypass original checking but are caught by normalization are logged: ```json { "level": "error", "msg": "security_event", "type": "dns_rate_limit_exceeded", "hostname": "malicious-host.example.com", "max_per_second": 10 } ``` 5. **Thread Safety**: Rate limiter and cache are thread-safe for concurrent access. **Effect**: Prevents DNS-based DoS attacks by limiting resolution frequency and caching results, reducing load on DNS infrastructure. "type": "command_bypass_attempt", "alias": "web1", "original_command": "'rm -rf /'", "normalized_command": "rm -rf /", "blocked_pattern": "rm -rf /" } ``` 5. **Supported Bypass Techniques Prevented**: - Quote obfuscation: `'rm -rf /'`, `"rm -rf /"` - Escaped characters: `rm\ -rf\ /` - Whitespace variations: `rm -rf /`, `rm\t-rf\t/` - Mixed techniques: `echo "rm\\ -rf\\ /"` 6. **Limitations**: - Perfect prevention would require full command parsing - Complex obfuscation (base64 encoding, variable substitution) may still bypass - Focus is on common bypass techniques, not all possible obfuscation methods **Effect**: Significantly reduces risk of command denial bypasses through common obfuscation techniques (quotes, escaping, whitespace). ### SSH Key Management **Best Practices:** 1. **Use Ed25519 Keys**: Prefer `ed25519` over RSA for modern security ```bash ssh-keygen -t ed25519 -f ~/.ssh/mcp_orchestrator -C "mcp-ssh-orchestrator" ``` 2. **Key Permissions**: Set private keys to read-only for owner ```bash chmod 0400 /path/to/keys/id_ed25519 ``` 3. **Separate Keys**: Use dedicated keys for the orchestrator (not your personal keys) 4. **Key Rotation**: Rotate keys periodically (quarterly recommended) 5. **Passphrase Protection**: Use passphrases for private keys ```yaml # credentials.yml entries: - name: prod_admin username: ubuntu key_path: id_ed25519 key_passphrase_secret: prod_key_passphrase ``` ### Password Authentication **Avoid password authentication when possible.** If required: 1. **Use Secrets**: Never hardcode passwords in YAML ```yaml # credentials.yml entries: - name: legacy_system username: admin password_secret: legacy_password # Resolved from secret ``` 2. **Secret Resolution Order**: - Environment variable: `MCP_SSH_SECRET_<NAME>` (uppercase) - Docker secret file: `/app/secrets/<name>` 3. **Strong Passwords**: Minimum 16 characters, high entropy 4. **Limited Scope**: Use password auth only for hosts that don't support keys ### Secrets Storage **Docker Secrets (Recommended for Production):** ```bash # Create secret echo "my-passphrase" | docker secret create ssh_key_passphrase - # Use in Docker Compose services: mcp-ssh: secrets: - ssh_key_passphrase secrets: ssh_key_passphrase: external: true ``` **Environment Variables (Development Only):** ```bash docker run -i --rm \ -e MCP_SSH_SECRET_ADMIN_PASSWORD="dev-password" \ ghcr.io/samerfarida/mcp-ssh-orchestrator:0.1.0 ``` **File-Based Secrets (Simple Deployments):** ```bash # Create secrets directory mkdir -p ~/mcp-ssh/secrets chmod 0700 ~/mcp-ssh/secrets # Add secret echo "passphrase" > ~/mcp-ssh/secrets/key_passphrase chmod 0400 ~/mcp-ssh/secrets/key_passphrase ``` ## Network Security ### Host Key Verification **Always enable in production:** ```yaml # policy.yml limits: require_known_host: true network: require_known_host: true # Overrides limits setting ``` **Populate known_hosts:** ```bash # Scan host keys ssh-keyscan -H 10.0.0.11 >> ~/mcp-ssh/keys/known_hosts ssh-keyscan -H 10.0.0.21 >> ~/mcp-ssh/keys/known_hosts # Or copy from existing cp ~/.ssh/known_hosts ~/mcp-ssh/keys/ ``` **Effect**: Prevents MITM attacks by verifying host identity before connection. ### IP Allowlisting **Restrict SSH targets to known networks:** ```yaml # policy.yml network: # Allow only RFC1918 private networks allow_cidrs: - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" # Block specific IPs block_ips: - "10.10.10.10" ``` **Two-Stage Verification:** 1. **Pre-Connect**: DNS resolution must match allowlist 2. **Post-Connect**: Actual peer IP must match allowlist **Effect**: Prevents connections to unexpected IPs, mitigates DNS poisoning. ### Egress Controls **Block lateral movement tools by default:** ```yaml # policy.yml limits: deny_substrings: - "ssh " - "scp " - "rsync -e ssh" - "curl " - "wget " - "nc " - "nmap " ``` **Effect**: Prevents compromised hosts from initiating outbound connections. ## Policy Enforcement ### Deny-by-Default **Start with no access, add only what's needed:** ```yaml # policy.yml rules: # Allow safe read-only commands - action: "allow" aliases: ["*"] tags: [] commands: - "uname*" - "uptime*" - "df -h*" # All other commands denied by default ``` ### Glob Pattern Safety **Use specific patterns to avoid overly broad matches:** ```yaml # BAD: Too permissive commands: - "*" # GOOD: Specific commands commands: - "systemctl status nginx" - "systemctl restart nginx" ``` ### Environment Separation **Use tags to separate production from non-production:** ```yaml # Policy for production rules: - action: "allow" aliases: [] tags: ["production"] commands: - "uptime*" - "df -h*" - action: "deny" aliases: [] tags: ["production"] commands: - "systemctl restart*" # Denied on prod # Policy for staging (more permissive) rules: - action: "allow" aliases: [] tags: ["staging"] commands: - "systemctl restart*" # Allowed on staging ``` ### Per-Host Overrides **Apply stricter limits to sensitive hosts:** ```yaml # policy.yml overrides: aliases: prod-db-1: max_seconds: 20 # Shorter timeout max_output_bytes: 262144 # Smaller output cap require_known_host: true # Strict host key check ``` ## Execution Limits ### Timeout Enforcement **Prevent runaway commands:** ```yaml # policy.yml limits: max_seconds: 60 # Global default overrides: tags: production: max_seconds: 30 # Stricter for prod longrun: max_seconds: 300 # Exception for maintenance ``` ### Output Size Caps **Prevent memory exhaustion:** ```yaml # policy.yml limits: max_output_bytes: 1048576 # 1 MiB default overrides: aliases: log-server: max_output_bytes: 10485760 # 10 MiB for log hosts ``` ### Deny Dangerous Substrings **Block destructive commands:** ```yaml # policy.yml limits: deny_substrings: - "rm -rf /" - ":(){ :|:& };:" # Fork bomb - "mkfs " - "dd if=/dev/zero" - "shutdown" - "reboot" - "userdel" - "passwd" ``` ## Container Security ### Non-Root Execution Container runs as UID 10001 (non-root): ```dockerfile RUN useradd -u 10001 -m appuser USER appuser ``` **Effect**: Limits damage if container is compromised. ### Read-Only Mounts **Mount configuration and keys as read-only:** ```bash docker run -i --rm \ -v ~/mcp-ssh/config:/app/config:ro \ -v ~/mcp-ssh/keys:/app/keys:ro \ ghcr.io/samerfarida/mcp-ssh-orchestrator:0.1.0 ``` **Effect**: Prevents accidental or malicious modification of config/keys. ### Minimal Base Image Uses `python:3.13-slim`: - Smaller attack surface - Fewer packages to patch - Reduced image size ### Health Checks ```dockerfile HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \ CMD python -c "import mcp_ssh" || exit 1 ``` **Effect**: Early detection of container failures. ## Audit & Monitoring ### Security Audit Logging Security-relevant events are logged to stderr in structured JSON format via `_log_security_event()`: **Security Audit Log Format:** ```json { "level": "error", "kind": "security_audit", "type": "security_event", "event_type": "path_traversal_attempt", "ts": 1762112167.394149, "timestamp": "2025-11-02T14:36:07-0500", "attempted_path": "../etc/passwd", "resolved_path": "/app/secrets/../etc/passwd", "reason": "path_outside_allowed_directory", "base_dir": "/app/secrets" } ``` **Event Types Logged:** - `path_traversal_attempt`: Path traversal detected in secret/key resolution - `file_validation_failed`: Directory/symlink/non-file paths rejected - `file_size_limit_exceeded`: Oversized YAML files rejected - `input_length_limit_exceeded`: Oversized string inputs rejected - `invalid_secret_name`: Invalid characters in secret names - `dns_rate_limit_exceeded`: DNS resolution rate limit violations - `command_bypass_attempt`: Command denial bypass attempts detected **Audit Log Fields:** - `ts`: Unix timestamp (float) - `timestamp`: ISO 8601 formatted timestamp (string) - `attempted_path`: Original input that triggered the event - `resolved_path`: Resolved/absolute path (if applicable) - `reason`: Human-readable reason for the security event - `additional_data`: Event-specific context (sizes, limits, patterns, etc.) **Security Monitoring:** All security audit events are written to stderr for log aggregation and SIEM integration. ### Command Execution Audit Logging All operations logged to stderr as JSON: ```json { "type": "audit", "ts": 1729512345.67, "alias": "prod-web-1", "hash": "a1b2c3d4e5f6", "exit_code": 0, "duration_ms": 123, "bytes_out": 45, "bytes_err": 0, "cancelled": false, "timeout": false, "target_ip": "10.0.0.11" } ``` **Fields:** - `type`: Event type (audit, policy_decision, progress) - `ts`: Unix timestamp - `alias`: Target host - `hash`: Command hash (first 12 chars of SHA256) - `exit_code`: Command exit status - `duration_ms`: Execution time - `bytes_out/bytes_err`: Output size - `cancelled/timeout`: Termination reason - `target_ip`: Actual peer IP connected ### Log Collection **Docker Compose with logging driver:** ```yaml services: mcp-ssh: logging: driver: "json-file" options: max-size: "10m" max-file: "3" ``` **Forward to SIEM:** ```bash docker logs -f mcp-ssh-orchestrator 2>&1 | \ jq -r 'select(.type == "audit") | @json' | \ curl -X POST https://siem.example.com/ingest -d @- ``` ### Monitoring Recommendations **Alert on:** - Policy denials (especially repeated) - Timeouts - Non-zero exit codes on critical hosts - Unexpected target IPs - High-privilege commands (sudo, systemctl) **Metrics to track:** - Commands per hour - Success rate by host - Average duration - Policy violation rate ## Incident Response ### Compromised Key 1. **Immediately revoke** the key on all target hosts: ```bash # Remove from authorized_keys on each host ssh user@host "sed -i '/mcp-orchestrator/d' ~/.ssh/authorized_keys" ``` 2. **Rotate keys**: ```bash # Generate new key ssh-keygen -t ed25519 -f new_key # Deploy to hosts for host in $(cat hosts.txt); do ssh-copy-id -i new_key.pub user@$host done ``` 3. **Update configuration**: ```yaml # credentials.yml entries: - name: prod_admin key_path: new_key # Updated ``` 4. **Review audit logs** for unauthorized usage ### Policy Bypass Detected 1. **Stop the orchestrator** immediately 2. **Review policy rules** for gaps 3. **Check audit logs** for pattern 4. **Patch policy**: ```yaml # Add deny rule for bypass technique limits: deny_substrings: - "<bypass pattern>" ``` 5. **Reload config**: `ssh_reload_config` ### Unauthorized Access 1. **Check who accessed**: ```bash # Audit log analysis jq -r 'select(.alias == "compromised-host") | [.ts, .hash, .target_ip] | @tsv' < audit.log ``` 2. **Identify command hashes** executed 3. **Correlate with target host logs** 4. **Contain affected hosts** 5. **Rotate credentials** ## Security Framework Alignment ### OWASP LLM Top 10 Coverage **LLM07: Insecure Plugin Design** ✅ - Policy-based command validation prevents unauthorized execution - Input sanitization and dangerous command blocking - Access control for AI plugin operations **LLM08: Excessive Agency** ✅ - Role-based restrictions via host tags - Deny-by-default security model - Command pattern matching limits autonomous actions **LLM01: Prompt Injection Mitigation** - SSH command validation prevents injection attacks - Network egress controls block unauthorized connections - DNS verification prevents DNS rebinding attacks ### MITRE ATT&CK Alignment - **T1071**: Application Layer Protocol (SSH monitoring) - **T1071.004**: DNS (DNS resolution verification) - **T1659**: Content Injection (policy-based command filtering) ### Security Features Supporting Compliance This tool provides security controls that can support organizations seeking compliance with frameworks like SOC 2, ISO 27001, PCI-DSS, and HIPAA: **Access Control & Audit** - Policy enforcement provides least-privilege access - JSON logs provide non-repudiation and complete audit trails - All administrative access logged **Encryption & Network Security** - SSH provides transport encryption - Ed25519/RSA keys for strong cryptography - IP allowlists enforce network segmentation **Secrets Management** - Docker secrets or environment variables (not hardcoded) - No persistent credential storage **Note**: Compliance is ultimately the responsibility of the deploying organization. This tool provides security features that can support compliance efforts but is not itself certified to these standards. ## Security Checklist **Before Production Deployment:** - [ ] Use Ed25519 or RSA 4096-bit keys - [ ] Set private key permissions to 0400 - [ ] Enable `require_known_host: true` - [ ] Populate known_hosts file - [ ] Configure IP allowlists (allow_cidrs) - [ ] Enable deny_substrings for dangerous commands - [ ] Use deny-by-default policy model - [ ] Mount config and keys as read-only (:ro) - [ ] Use Docker secrets or env vars (not hardcoded passwords) - [ ] Set up audit log collection - [ ] Configure alerting on policy violations - [ ] Document incident response procedures - [ ] Test policy with `ssh_plan` before `ssh_run` - [ ] Separate production from non-production (tags) - [ ] Set appropriate timeouts and output limits - [ ] Review and minimize container privileges - [ ] Enable Docker health checks - [ ] Use specific command patterns (avoid overly broad globs) - [ ] Rotate keys quarterly - [ ] Keep Docker image updated ## Reporting Security Issues **Do not open public issues for security vulnerabilities.** Email: security@example.com (replace with your contact) Include: - Description of vulnerability - Steps to reproduce - Potential impact - Suggested fix (optional) We aim to respond within 48 hours and patch critical issues within 7 days.

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/samerfarida/mcp-ssh-orchestrator'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

SECURITY.md•24.8 KiB