SSH MCP Server
The SSH MCP server enables AI agents to manage SSH environments, diagnose connectivity issues, and perform remote operations securely.
SSH Environment Management & Diagnostics
Ensure SSH agent is running, list/load SSH keys, resolve SSH config (including ProxyJump/bastion hosts)
Fix stale
known_hostsentries, test Git-over-SSH authentication (GitHub, GitLab, etc.), and run quick connectivity checksFull SSH diagnostics (
ssh_diagnose) — comprehensive check of agent, keys, config, known_hosts, and connectivity with exact fix commands
Remote Command Execution
Run shell commands on a remote host (
ssh_exec) with support for pipes, env vars, and configurable timeoutsExecute commands in parallel across multiple hosts (
ssh_multi_exec) with per-host resultsConfigurable command whitelist/blacklist policies for security
Remote File Operations (SFTP)
Read, write, upload, and download files
List directories, get file metadata (size, permissions, timestamps)
Create directories (with recursive
-psupport) and delete files or empty directories
Higher-Level Remote Operations
Search for files (
ssh_find) with filters for name, type, size, depth, and modification timeTail log files (
ssh_tail) with optional grep filteringCheck systemd service status (
ssh_service_status) — state, PID, uptime, and description
Key Features
Connection pooling — reuses SSH connections automatically (60s idle timeout, 100 connection cap)
Host key verification — TOFU on first connect, MITM protection on subsequent connections
Auto-diagnostics — failed operations automatically include diagnostic hints in error responses
Windows support — detects OpenSSH Authentication Agent via named pipe
Facilitates Ansible deployments by managing SSH keys, agent, and connectivity, resolving host key issues and ensuring reliable SSH access to target hosts.
Ensures Git-over-SSH authentication to Bitbucket by managing SSH keys, diagnosing permission errors, and fixing known host key issues so that git pull/push/clone works.
Enables Composer to install packages from private repositories over SSH by loading the correct SSH keys into the agent and diagnosing authentication failures.
Supports SSH access to DigitalOcean droplets by managing SSH keys, host keys, and providing diagnostics to resolve connection issues.
Resolves Git-over-SSH authentication failures for clone, pull, push, and other operations by managing the SSH agent, keys, and known hosts.
Ensures Git-over-SSH authentication to GitHub by managing SSH keys, diagnosing permission errors, and fixing known host key issues.
Ensures Git-over-SSH authentication to GitLab by managing SSH keys, diagnosing permission errors, and fixing known host key issues.
Enables npm to install packages from private registries over SSH by managing SSH agent, keys, and resolving authentication failures.
Facilitates Terraform operations on remote hosts by managing SSH keys, agent, and connectivity diagnostics to ensure secure and reliable access.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@SSH MCP Serverrun df -h on my production server"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
@yawlabs/ssh-mcp
Make SSH work for AI tools. MCP server that manages your SSH environment, diagnoses what's broken, fixes it, and gives your agent remote access to anything.
Built and maintained by Yaw Labs.
One click adds this to your local Yaw MCP config so it's available in every Yaw Terminal session. Or install manually below.
The problem
AI CLI tools run in subprocesses where SSH is constantly broken. The agent tries to git pull and gets Permission denied (publickey). It tries to SSH into a server and the agent socket is stale. It tries to deploy and the host key changed because the instance was recreated. Every time, the AI has no idea what's wrong and spirals.
This happens across every situation that needs SSH keys:
Git — clone, pull, push, fetch, submodules, LFS
Package managers —
npm install,pip install,go get,cargo,composerfrom private reposServer access — SSH, SCP, SFTP, rsync
Tunneling — port forwarding to databases, SOCKS proxies
Deployment — Ansible, Terraform, Capistrano, deploy scripts
Cloud — AWS EC2, GCP, Azure, DigitalOcean, any VPS
ssh-mcp fixes this. It manages the SSH agent, loads keys, diagnoses failures with actionable fix commands, and provides remote operations — all as MCP tools your AI agent can call.
Related MCP server: Scout MCP
Quick start
Add to your MCP client config:
{
"mcpServers": {
"ssh": {
"command": "npx",
"args": ["-y", "@yawlabs/ssh-mcp@latest"]
}
}
}On Windows wrap with cmd /c since Node 20+ can't spawn .cmd files directly:
{
"mcpServers": {
"ssh": {
"command": "cmd",
"args": ["/c", "npx", "-y", "@yawlabs/ssh-mcp@latest"]
}
}
}The @latest tag makes npx re-resolve against the registry on every spawn, so each MCP session uses the newest published version. Or install globally if you'd rather pin (no auto-update):
npm install -g @yawlabs/ssh-mcp
# then in client config: "command": "ssh-mcp"Tools
SSH environment management
Tools that fix your local SSH setup so everything else — git, deploys, tunnels — stops breaking.
Tool | Description |
| Ensure ssh-agent is running. Starts one if needed and sets env vars for the session. |
| List all SSH keys in ~/.ssh/ with type, fingerprint, and agent status. |
| Load a key into the running agent. Ensures the agent is started first. |
| Resolve the effective SSH config for a host (hostname, user, port, proxy, identity files). |
| Remove a stale host key and re-scan. Fixes "host key verification failed" errors. |
| Test Git-over-SSH auth to GitHub, GitLab, Bitbucket, etc. |
| Quick connectivity test with timing and actionable error details. |
Diagnostics
Tool | Description |
| Full SSH environment diagnostic. Checks agent, keys, config, known_hosts, and connectivity. Returns exact fix commands for every failure. |
Remote operations
Tool | Description |
| Execute a command on a remote host. Returns stdout, stderr, and exit code (or |
| Read a file from a remote host via SFTP. |
| Write content to a file on a remote host via SFTP. |
| Upload a local file to a remote host via SFTP. |
| Download a file from a remote host to local filesystem. |
| List files in a directory on a remote host. |
| Get metadata for a file or directory (size, mode in octal, uid/gid, mtime/atime, isFile/isDirectory/isSymbolicLink). Use instead of parsing |
| Create a directory via SFTP. Set |
| Delete a file or empty directory via SFTP. Auto-dispatches unlink vs rmdir based on the path's type. Recursive directory delete is intentionally NOT supported -- use |
Higher-level operations
Tools that wrap common patterns agents build with ssh_exec — faster and less error-prone.
Tool | Description |
| Run a command on multiple hosts in parallel. Returns results per host. Subject to command policy if configured (policy is checked once before fan-out). |
| Search for files remotely with structured parameters ( |
| Read the last N lines of a file, optionally filtered by a grep pattern. |
| Check systemd service status (active, PID, uptime, description). Flags |
Auto-diagnostics
When any remote operation fails, ssh-mcp automatically runs diagnostics and includes the results in the error response. Your agent doesn't need to call ssh_diagnose separately — it gets told what's wrong and how to fix it right in the error message.
Connection pooling
Remote operations reuse SSH connections automatically. When your agent makes multiple calls to the same host, the first call opens a connection and subsequent calls reuse it. Connections are kept alive for 60 seconds after the last use, then closed automatically.
The pool caps at 100 active connections by default. Set SSH_MCP_MAX_POOL_SIZE=<n> to raise it for fan-out workloads against many distinct hosts (e.g. ssh_multi_exec across a large fleet). When the cap is reached, the pool evicts an idle entry to make room; if every entry is in use it rejects with Connection pool is full.
SSH config support
All connections respect your ~/.ssh/config. Host aliases, custom ports, usernames, identity files, and ProxyJump settings are used automatically. If you have Host myserver configured in your SSH config, just pass host: "myserver" — ssh-mcp resolves everything.
ProxyJump / bastion hosts are supported automatically. If your SSH config has ProxyJump bastion for a host, ssh-mcp connects through the bastion transparently. Chained proxies work too.
Host key verification
All remote operations verify the server's host key against ~/.ssh/known_hosts:
Known host, key matches — accept.
Known host, key changed — reject (MITM protection).
Unknown host — accept on first connection (TOFU). Use
ssh_known_hosts_fixto pin the key for future mismatch detection.
For stricter environments, set SSH_MCP_STRICT_HOST_KEY=1 to reject unknown hosts. Add them explicitly with ssh_known_hosts_fix first.
The diagnostic tools (ssh_test, ssh_diagnose) use StrictHostKeyChecking=no for their probe commands. Those probes only run echo SSH_OK — no credentials or data pass through — so the relaxed setting is safe for connectivity testing. Real operations always go through the hostVerifier.
Command policy
ssh_exec and ssh_multi_exec accept free-form shell commands from the agent. For security-conscious deployments, you can restrict which commands run via two env vars, each accepting a comma-separated list of regex patterns:
SSH_MCP_COMMAND_WHITELIST— if set, the command must match at least one pattern, else it's blocked.SSH_MCP_COMMAND_BLACKLIST— if set, the command must not match any pattern, else it's blocked.
When both are set, the command must pass both checks (whitelist first, then blacklist). When neither is set (the default), all commands are allowed.
Patterns are JavaScript regexes. Use ^ and $ for anchored matches; otherwise patterns are treated as substring matches. Commas are the delimiter, so a literal comma in a pattern needs to be expressed as \x2c or via a character class.
# Read-only allowlist: only ls / df / cat / find / tail
SSH_MCP_COMMAND_WHITELIST="^ls( .*)?,^df( .*)?,^cat ,^find ,^tail "
# Block destructive ops even if your agent goes off-script
SSH_MCP_COMMAND_BLACKLIST="^rm ,^shutdown,^reboot,^mkfs,^dd if=,>\s*/dev/"Blocked commands surface as a clear error mentioning which pattern (or which env var) rejected the call, so the agent can adapt rather than guess. Policy is enforced before the SSH connection opens — no remote process is started for a blocked command.
The structured higher-level tools (ssh_find, ssh_tail, ssh_service_status, SFTP ops) are exempt from policy. They build commands from typed parameters, so a tight ^ls whitelist would otherwise force you to allow ^find , ^tail , ^systemctl just to keep those tools working — defeating the point of a tight whitelist.
Policy interaction with ssh_exec's env parameter
When ssh_exec is called with env: { KEY: "value" }, the values are injected as a KEY='value' ... shell prefix before the command (see the ssh_exec description). Policy is checked against the full prefixed command, not the bare command argument. That's the safer ordering at the protocol layer — but it means whitelist patterns need to anticipate the prefix and must be anchored, not substring matches:
# WRONG -- blocks any ssh_exec call that uses `env`, because the final command
# starts with `KEY='value' ` and never matches `^ls`.
SSH_MCP_COMMAND_WHITELIST="^ls "
# RIGHT -- allow zero or more `KEY='value' ` prefixes before the real command.
SSH_MCP_COMMAND_WHITELIST="^([A-Za-z_][A-Za-z0-9_]*='[^']*' )*ls( |$)"Avoid substring-match patterns like ls if you're worried about a hostile agent. An agent could pass env: { ATTACK: " ls " } to make the final command ATTACK=' ls ' rm -rf /, which matches a substring ls and bypasses the whitelist. Anchored patterns of the form above don't have this weakness because they require the real command name to follow the env-prefix block, not appear inside a quoted env value.
Blacklists need the same care. ^rm blocks a bare rm call, but doesn't block FOO='bar' rm. Use the same env-prefix-tolerant anchor:
SSH_MCP_COMMAND_BLACKLIST="^([A-Za-z_][A-Za-z0-9_]*='[^']*' )*rm( |$)"If you don't trust the agent's env values at all, the simplest mitigation is to leave env unused in your client config and pass everything through the command string yourself.
Windows support
On Windows, ssh-mcp detects the OpenSSH Authentication Agent service automatically (via the \\.\pipe\openssh-ssh-agent named pipe). No SSH_AUTH_SOCK needed — just make sure the OpenSSH agent service is running.
Authentication
All remote operations accept connection parameters:
Parameter | Description | Default |
| SSH hostname or IP (required) | — |
| SSH port | From SSH config or |
| SSH username | From SSH config or current user |
| Path to SSH private key | Auto-detect |
| SSH password (prefer keys) | — |
Auth resolution order: ssh-mcp picks the first match from this list and does not fall through to later entries — this makes the auth method deterministic and predictable.
Explicit
privateKeyPathExplicit
passwordssh-agent (
SSH_AUTH_SOCKon Unix,\\.\pipe\openssh-ssh-agenton Windows)Identity files from
~/.ssh/configfor the hostDefault key paths (
~/.ssh/id_ed25519,id_rsa,id_ecdsa)
Example workflows
Agent can't git pull
Agent calls ssh_git_check → "Permission denied. Your SSH key is not registered with github.com."
Agent calls ssh_key_list → finds id_ed25519 exists but is not loaded
Agent calls ssh_key_load("~/.ssh/id_ed25519") → "Key loaded"
Agent calls ssh_git_check → "Git SSH authentication to github.com succeeded as username"
Agent runs git pull → worksHost key changed after instance recreation
Agent calls ssh_exec on server → error: "Host key verification failed"
(auto-diagnostics included in error: "Fix with ssh_known_hosts_fix")
Agent calls ssh_known_hosts_fix("my-server") → "Host key refreshed"
Agent calls ssh_exec → worksFirst-time connection to a new server
Agent calls ssh_test("new-server") → "Connection refused at new-server:22"
Agent calls ssh_diagnose("new-server") → full report showing agent running, keys loaded, but host unreachable
Agent reports: "SSH server isn't running on new-server or port 22 is blocked"Programmatic usage
import { connect, exec, diagnose, ensureAgent, listSshKeys, checkGitSsh, ConnectionPool } from '@yawlabs/ssh-mcp';
// Fix SSH environment
const agent = ensureAgent();
console.log(agent.message);
// Check git access
const git = checkGitSsh('github.com');
console.log(git.message);
// List available keys
const keys = listSshKeys();
for (const key of keys) {
console.log(`${key.name} (${key.type}) - ${key.loadedInAgent ? 'loaded' : 'not loaded'}`);
}
// Run a remote command (one-off)
const client = await connect({ host: 'my-server', username: 'deploy' });
const result = await exec(client, 'uptime');
console.log(result.stdout);
client.end();
// Run multiple commands with connection pooling
const pool = new ConnectionPool();
await pool.withConnection({ host: 'my-server' }, async (client) => {
const r1 = await exec(client, 'uptime');
console.log(r1.stdout);
});
// Connection stays open for 60s — next call reuses it
await pool.withConnection({ host: 'my-server' }, async (client) => {
const r2 = await exec(client, 'df -h');
console.log(r2.stdout);
});
pool.drain(); // close all connections when done
// Diagnose issues
const report = diagnose('my-server');
console.log(report.overall); // "ok" | "warning" | "error"
for (const check of report.checks) {
console.log(`[${check.status}] ${check.name}: ${check.message}`);
}Requirements
Node.js 18+
SSH client installed (for diagnostics and environment management)
License
MIT
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/YawLabs/ssh-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server