ssh-session-mcp
ssh-session-mcp
中文 | English
Persistent shared-terminal runtime for MCP clients over SSH.
ssh-session-mcp gives the user and the AI the same SSH PTY session, adds a browser viewer, tracks who typed what, and makes long-running remote work manageable instead of stateless.
Contents
Related MCP server: ssh-mcp-server
Install At A Glance
Normal users do not need to
git clonethis repository.Preferred install path for MCP clients:
npx -y ssh-session-mcp --viewerPort=autoPreferred install path for human operators who want local binaries:
npm install -g ssh-session-mcpOfficial container distribution can be published to a public registry such as
docker.io/zwawa/ssh-session-mcpgit cloneis only for contributors, source builds, and local development.For the common desktop MCP workflow,
npxor a global npm install is still the lowest-friction path. Docker is mainly useful when you want a pinned runtime, container-based deployment, or registry-backed distribution.
Why It Exists
Most SSH-oriented MCP servers can execute commands, but they do not manage terminal state well enough for real collaboration.
ssh-session-mcp focuses on the missing runtime layer:
One shared PTY for both the human and the AI
Browser terminal for live inspection and manual intervention
Input lock so the AI does not type over the user
Safe/full execution modes for risky commands
Configurable default policy rules plus session-level custom rule overrides
Async command tracking for long-running remote work
Multi-device and multi-connection profile support
Local debug mode for demos, offline testing, and prompt iteration
Best Fit
AI-assisted remote development on Linux boards and SSH servers
Embedded, ROS, training, and deployment hosts that need a real terminal
Users who want the AI to help, but do not want to surrender the terminal
MCP Marketplace listings where the install and demo path must be clear
Project Structure
Key directories and files:
Path | Purpose |
| Core TypeScript implementation for the MCP server, SSH session runtime, viewer, tools, and config CLIs |
| HTML page generators and browser-side scripts for the terminal viewer |
| Vitest coverage for runtime behavior, viewer contracts, config loading, and repository validation |
| Supporting documentation such as contracts, failure taxonomy, platform notes, and Docker usage |
| Example config files for normal and Docker-oriented setups |
| Build, version sync, and local operator helper scripts |
| Helm chart for Kubernetes deployment in single-node or distributed v0 mode |
| GitHub Pages landing page source |
| Generated static site output from |
| Generated JavaScript output from |
| Container image build definition |
| Profile-based Docker Compose example |
| Legacy |
| MCP server metadata for marketplace-style distribution |
| Primary agent/operator playbook |
| Agent-focused installation and environment checklist |
| Legacy single-target environment variable template |
Quick Start
1. Agent-First Install (Auto-download on first run)
If the goal is to let Claude Code, Codex, or OpenCode install the server automatically, prefer npx -y ssh-session-mcp in the MCP command instead of a prior global install.
For Cline Marketplace and other agent installers, see llms-install.md. This repo is structured to be one-click installable through an npx -y ssh-session-mcp --viewerPort=auto command.
Claude Code
claude mcp add --transport stdio ssh-session-mcp -- npx -y ssh-session-mcp --viewerPort=autoWindows note from the Claude Code docs: native Windows users should wrap npx with cmd /c for stdio MCP servers.
claude mcp add --transport stdio ssh-session-mcp -- cmd /c npx -y ssh-session-mcp --viewerPort=autoCodex
codex mcp add ssh-session-mcp -- npx -y ssh-session-mcp --viewerPort=autoOpenCode
OpenCode's opencode mcp add flow is interactive. Choose a local MCP server and use this command:
npx -y ssh-session-mcp --viewerPort=autoIf you prefer config instead of the interactive flow:
{
"$schema": "https://opencode.ai/config.json",
"mcp": {
"ssh-session-mcp": {
"type": "local",
"command": ["npx", "-y", "ssh-session-mcp", "--viewerPort=auto"]
}
}
}This is the closest thing to "automatic installation" for stdio MCP servers today: the MCP client stores the command, and npx -y downloads the package automatically the first time it runs.
2. Fastest Local Demo
npm install -g ssh-session-mcp
ssh-session-mcp-ctl launch --local --viewerPort=autoThis starts a local shell instead of SSH and opens the browser terminal, which is the easiest way to test the MCP runtime before touching a real server.
3. Register As An MCP Server
Use the MCP server binary directly when wiring a client:
# Global install
npm install -g ssh-session-mcp
# Server command used by MCP clients
ssh-session-mcp --viewerPort=auto# Claude Code
claude mcp add --transport stdio ssh-session-mcp -- ssh-session-mcp --viewerPort=auto
# Codex CLI
codex mcp add ssh-session-mcp -- ssh-session-mcp --viewerPort=autoIf you prefer npx instead of a global install:
npx -y ssh-session-mcp --viewerPort=auto4. Connect To A Real SSH Target
Create .env from .env.example:
cp .env.example .envSSH_HOST=YOUR_DEVICE_HOST
SSH_PORT=22
SSH_USER=YOUR_DEVICE_USER
SSH_PASSWORD=
SSH_KEY=
VIEWER_PORT=auto
AUTO_OPEN_TERMINAL=false
SSH_MCP_MODE=safeThen launch:
ssh-session-mcp-ctl launch --viewerPort=auto5. Multi-Device Config
For multiple boards or named targets, create ssh-session-mcp.config.json:
{
"defaultDevice": "DEVICE_A_ID",
"devices": [
{
"id": "DEVICE_A_ID",
"host": "DEVICE_A_HOST",
"port": 22,
"user": "DEVICE_A_USER",
"auth": { "passwordEnv": "DEVICE_A_PASSWORD" },
"defaults": {
"term": "xterm-256color",
"cols": 120,
"rows": 40,
"autoOpenViewer": true,
"viewerMode": "browser"
}
}
]
}Discovery order:
--config=/path/to/config.jsonWorkspace
ssh-session-mcp.config.jsonUser-global config
Legacy
.envfallback
Important:
Config discovery is based on the MCP process working directory.
auth.passwordis intentionally unsupported. Useauth.passwordEnvorauth.keyPath.Secrets belong in
.envor the parent environment, not in repo-tracked JSON.
6. Docker Status
Public Docker images should be distributed through Docker Hub, with GitHub Container Registry as an optional secondary registry:
docker.io/zwawa/ssh-session-mcp:<version>
docker.io/zwawa/ssh-session-mcp:latest
ghcr.io/zw-awa/ssh-session-mcp:<version>Recommended container launch for a real SSH target:
docker run --rm -i \
-p 8793:8793 \
-e VIEWER_PORT=8793 \
-e VIEWER_HOST=0.0.0.0 \
-e SSH_HOST=YOUR_DEVICE_HOST \
-e SSH_PORT=22 \
-e SSH_USER=YOUR_DEVICE_USER \
-e SSH_PASSWORD \
docker.io/zwawa/ssh-session-mcp:latestExport the password in your shell first instead of placing it directly on the command line.
Recommended launch for profile-based config:
docker run --rm -i \
-p 8793:8793 \
-e VIEWER_PORT=8793 \
-e VIEWER_HOST=0.0.0.0 \
-e SSH_MCP_CONFIG=/workspace/ssh-session-mcp.config.json \
-v "$PWD/ssh-session-mcp.config.json:/workspace/ssh-session-mcp.config.json:ro" \
-v "/path/to/host/keys:/workspace/keys:ro" \
docker.io/zwawa/ssh-session-mcp:latestEquivalent Compose example:
docker compose up -dSee docker-compose.yml for a ready-to-run example that mounts ssh-session-mcp.config.json, publishes the viewer on 8793, and uses SSH_KEY_DIR when set or falls back to a dedicated ./keys directory.
For the full Docker guide, including the legacy .env compose variant and MCP client config snippets, see docs/docker.md.
For a container-oriented profile example, see docs/examples/ssh-session-mcp.config.docker.example.json.
Container-specific notes:
The image defaults
VIEWER_PORTto8793when unset so the browser viewer can be published reliably.The image defaults
VIEWER_HOSTto0.0.0.0inside the container so the mapped port is reachable from the host.AUTO_OPEN_TERMINALdefaults tofalsein the container because browser auto-open from inside a container is usually not useful.Mount config files or SSH keys read-only when possible.
Prefer mounting SSH keys from a directory outside the repo root.
In
docker-compose.yml,SSH_KEY_DIRoverrides the default key mount path. If it is unset, Compose falls back to./keys, not the repo root.Avoid putting passwords directly on the command line. Prefer exported env vars, Compose
.env, or--env-file.For stdio MCP clients, Docker is viable, but host-native
npxis still simpler unless your client explicitly prefers containerized commands.
Docker-based MCP client command examples:
# Claude Code
claude mcp add --transport stdio ssh-session-mcp -- docker run --rm -i -p 8793:8793 -e VIEWER_PORT=8793 -e VIEWER_HOST=0.0.0.0 docker.io/zwawa/ssh-session-mcp:latest
# Codex CLI
codex mcp add ssh-session-mcp -- docker run --rm -i -p 8793:8793 -e VIEWER_PORT=8793 -e VIEWER_HOST=0.0.0.0 docker.io/zwawa/ssh-session-mcp:latestFor JSON-based MCP clients, the same pattern works by using docker as the command and passing the remaining run ... docker.io/zwawa/ssh-session-mcp:latest tokens as args.
This is useful when:
The primary workflow is a local stdio MCP server command, not a long-lived network service.
You want a pinned Node/runtime environment without a local install.
You need registry-based distribution for a team or managed host.
You want container-level isolation for the MCP server process.
For many users, publishing to npm and recommending npx -y ssh-session-mcp --viewerPort=auto is still the lower-friction install path.
Viewer And Collaboration Model
The browser viewer is not decorative. It is part of the workflow:
The user can see exactly what the AI did.
The AI can pause when the user takes over.
Password prompts, pagers, and editors become visible state instead of hidden failure modes.
Session diagnostics and history turn terminal debugging into something inspectable.
Marketplace-Friendly Flow
For users:
install -> launch viewer -> connect once -> keep the session alive -> let the AI helpFor agents:
ssh-quick-connect -> ssh-run -> inspect output -> ssh-command-status if needed -> ssh-run againUse AGENT.md when you want the AI to install, inspect config, connect devices, and help the user end-to-end. Compatibility notes for older agent setups remain in AI_AGENT_GUIDE.md.
Core Differences From A Stateless MCP SSH Wrapper
Shared PTY instead of one-off command execution
Actor-aware transcript markers for user, system, and agent input
Terminal-state checks before dangerous or nonsensical writes
Auto cleanup for sessions and viewer processes
Session-scoped browser viewer with diagnostics and history
Local debug mode with
--localfor offline testing
Operation Modes
Mode | Behavior |
| Default per session. Automatically blocks obviously dangerous, interactive, or never-ending commands. |
| Per session. Relaxes the guardrails for advanced use, while still blocking a small set of clearly destructive abuse cases. |
Each session now owns its own safe / full mode. Switching one browser terminal to full does not change other sessions.
The default rule set can be customized if needed. Custom rules now support:
error: block the commandwarning: allow but surface a warninglog: allow and annotate only
Rule precedence is error > warning > log, and within the same level, earlier rules win.
Lock Policy
The browser terminal UI lets the operator choose one of these input policies:
Policy | What the operator experiences |
| User and agent can both type into the shared terminal. |
| Only the user can type. Agent write actions are blocked. |
| The user can start typing without fighting the agent. While the user is actively drafting input, agent writes are blocked. |
| Only the agent can type. User input is blocked until the policy changes. |
When the terminal is not available for agent input, tools such as ssh-run, ssh-session-send, and ssh-session-control return a blocked response instead of forcing input into the PTY.
MCP Tools
Recommended Daily Tools
Tool | Purpose |
| Connect or reuse the default target and optionally open the viewer |
| Execute a command with completion detection and exit-code capture |
| Inspect sessions, viewer state, and operation mode |
| Poll async command progress |
| Retry flaky commands with backoff |
| Inspect inherited defaults and current session custom policy rules |
| Add or update a session-level custom policy rule |
| Remove a session-level custom policy rule |
| Reset session custom rules back to inherited defaults |
Full Tool Catalog
Tool | Purpose |
| Open a session with explicit SSH parameters |
| Send raw PTY input |
| List configured devices and defaults |
| Read buffered terminal output by offset |
| Long-poll for output and dashboard changes |
| Read line-numbered mixed terminal history |
| Send control keys such as |
| Resize the PTY |
| List tracked sessions |
| Inspect lock state, warnings, running command state, and viewer health |
| Show inherited policy defaults and the current session rule set |
| Add or update a session-specific custom policy rule |
| Remove a session-specific custom policy rule |
| Restore inherited rules for the current session |
| Choose the default session |
| Open or reuse the local viewer |
| List tracked viewer processes |
| Close a session cleanly |
| One-step connect flow for agents |
| Main command execution tool |
| Runtime overview |
| Async poller |
| Retry executor |
Local Operator Commands
These helpers are for humans on the workstation that owns the viewer:
ssh-session-mcp-ctl status
ssh-session-mcp-ctl devices
ssh-session-mcp-ctl launch --viewerPort=auto
ssh-session-mcp-ctl launch --local --viewerPort=auto
ssh-session-mcp-ctl logs --tail=60
ssh-session-mcp-ctl cleanupDefault rule library management for operators:
ssh-session-mcp-config policy list --scope=merged
ssh-session-mcp-config policy set error-kubectl-delete --pattern="\\bkubectl\\s+delete\\b" --category=dangerous --action=error --priority=0 --message="kubectl delete is blocked in safe mode"
ssh-session-mcp-config policy remove error-kubectl-deleteEquivalent repo-local commands also exist:
npm run launch
npm run status
npm run devices
npm run logs
npm run cleanupConfiguration Summary
Key environment variables:
Variable | Meaning | Default |
| Legacy single-target SSH host | required in legacy mode |
| Legacy single-target SSH port |
|
| Legacy single-target SSH user | required in legacy mode |
| Password auth | empty |
| Local private key path | empty |
| File containing the SSH password | empty |
| File containing the SSH private key | empty |
| Runtime isolation key |
|
| Explicit config file path | auto-discovery |
| Runtime state root directory | platform default |
| Viewer bind host |
|
| Viewer port or |
|
| Viewer IP filter mode | config-driven |
|
|
|
| Launch a local shell instead of SSH |
|
| Enable debug browser actions |
|
| Auto-open browser terminal |
|
|
|
|
| Metadata log directory | platform default |
Distributed v0
Distributed v0 intentionally implements a narrow boundary:
Supported runtime modes:
single-nodeanddistributedDistributed mode shares control-plane state only: node heartbeat, session metadata, binding metadata, command metadata, and viewer access policy
When the current replica is not the owner, HTTP APIs return
REMOTE_OWNER, HTML pages render a remote-owner error page, and websocket attaches close with code4009Cross-node PTY migration is not supported
Transparent cross-node HTTP or websocket proxying is not supported
Distributed v0 requires Redis for real multi-node deployments. SSH_MCP_STORE=memory only exists for local skeleton testing and does not provide a shared store across replicas.
Distributed configuration:
Variable | Meaning | Default |
|
|
|
|
|
|
| Redis connection URL | required when |
| Stable logical node id for this replica | runtime instance id |
| Public viewer base URL advertised to other replicas | unset |
|
|
|
| Whether to trust authenticated proxy headers |
|
| Authenticated user header name |
|
| Authenticated role header name |
|
Recommended distributed env example:
SSH_MCP_RUNTIME_MODE=distributed
SSH_MCP_STORE=redis
SSH_MCP_REDIS_URL=redis://redis:6379/0
SSH_MCP_NODE_ID=node-a
SSH_MCP_PUBLIC_BASE_URL=https://ssh-mcp.example.com
SSH_MCP_AUTH_MODE=proxy
SSH_MCP_TRUST_PROXY=true
SSH_MCP_AUTH_USER_HEADER=x-forwarded-user
SSH_MCP_AUTH_ROLE_HEADER=x-forwarded-roleProxy auth is most useful in distributed mode behind a trusted reverse proxy. The built-in role mapping is:
viewer_read: pages, session list/read endpoints, history, diagnostics, health, readiness, metricsviewer_write: attach input, resize, controlsession_admin: mode changes, policy updates, close, set-active, debug-agent actions, local debug session creation
Macro / Environment Variable Reference
Use these variables according to your installation path:
Variable | Required When | Accepted Values / Example | Notes |
| Legacy single-target SSH mode |
| Required unless you use |
| Legacy single-target SSH mode |
| Optional in legacy mode; defaults to |
| Legacy single-target SSH mode |
| Required unless you use device profiles. |
| Password-based auth | exported env var | Prefer env export over putting the password directly in the command line. |
| Password-based auth via secret file |
| The file contents are used as the password. This is the preferred pattern for Docker and Kubernetes secrets. |
| Key-based auth in legacy mode |
| The path must exist on the host running the MCP server. |
| Key-based auth via secret file |
| The file contents are used as the private key. This works well with mounted container secrets. |
| Profile-based mode or config outside cwd |
| Use this when config auto-discovery is not enough. |
| Multi-agent / multi-client isolation |
| Use different values when two agents should not share runtime state. |
| Runtime state root override |
| Controls where per-instance server info, viewer state, and default logs are stored. Mount it persistently in containers. |
| Distributed topology selection |
| Distributed v0 only shares control-plane state; it does not migrate PTYs across nodes. |
| Distributed state backend |
| Use |
| Redis backend enabled |
| Required when |
| Stable distributed node id |
| Useful when multiple replicas share Redis and need durable owner ids. |
| Public routing hint for this node |
| Used in |
| Viewer auth mode |
|
|
| Trust viewer identity headers |
| Must be enabled together with |
| Proxy-auth viewer user header |
| Header names are normalized to lowercase internally. |
| Proxy-auth viewer role header |
| Roles are comma-separated and mapped to |
| Custom viewer bind |
| Use |
| Viewer enabled |
|
|
| Viewer access control mode |
| Usually edited in the viewer home page. Keep |
| Auto-open viewer tab |
| Usually |
| Runtime safety mode |
|
|
| Local demo mode |
| Starts a local shell instead of SSH. |
| Browser debug controls |
| Intended for demos and troubleshooting. |
| Runtime metadata logging |
|
|
| Override metadata log directory |
| Mainly useful with |
| Docker Compose profile-based example |
| Optional in |
| Docker Compose image override |
| Override this if you mirror the image or test another tag. |
Minimum Required Settings
Choose one of these minimum configuration sets:
Local demo:
SSH_MCP_LOCAL=trueandVIEWER_PORT=autoLegacy SSH with password:
SSH_HOST,SSH_USER,SSH_PASSWORDLegacy SSH with key:
SSH_HOST,SSH_USER,SSH_KEYProfile-based mode:
ssh-session-mcp.config.json, plus anypasswordEnvvariables referenced by that configDocker Compose profile mode:
ssh-session-mcp.config.json, optionalSSH_KEY_DIR, optionalSSH_SESSION_MCP_IMAGE
Container Runtime Notes
Container defaults now set
SSH_MCP_LOG_MODE=stderrso logs go to the container runtime without corrupting stdio MCP transport.Mount
SSH_MCP_STATE_DIRpersistently when you want viewer policy, server info, and state files to survive container restarts.Distributed multi-node deployments need Redis plus a routable
SSH_MCP_PUBLIC_BASE_URLper replica.Distributed v0 does not provide cross-node PTY migration or transparent cross-node proxying. Route requests to the owner node when you receive
REMOTE_OWNER.Health endpoints:
/livezfor process liveness/readyzfor readiness checks/metricsfor Prometheus text metrics
Example single-instance Kubernetes baseline: docs/examples/ssh-session-mcp.k8s.single-instance.yaml
Example distributed Kubernetes baseline: docs/examples/ssh-session-mcp.k8s.distributed.example.yaml
Primary Kubernetes installation path:
deploy/helm/ssh-session-mcp
Example config file: docs/examples/ssh-session-mcp.config.example.json
Security
The package never requires raw passwords inside tracked JSON config.
.envis ignored by git and npm.Viewer HTTP binds to localhost by default.
The MCP server treats terminal mode and input lock as first-class safety signals.
CI runs Trivy filesystem and container-image scans against high and critical vulnerabilities.
Release builds generate a CycloneDX SBOM for the published GHCR image digest and attach it to the GitHub release.
Release builds sign the published GHCR image digest with keyless Cosign.
GHCR digest is the primary verification path. Docker Hub remains a distribution path, not the main signature-verification target.
See SECURITY.md for the full policy.
Platform Notes
Windows 10/11: first-class host environment
Linux: strong fit for headless MCP + browser viewer workflows
macOS: standard Node.js path supported
Remote Linux hosts: first-class target
More detail: docs/platform-compatibility.md
Docs
Development
Clone the repo only if you want to modify the source, run tests locally, or build release artifacts.
npm install
npm run build
npm run test
npm run validate:repo
npm run build:siteGitHub Actions included in this repo can:
run CI on push and pull request
deploy a GitHub Pages landing page from
dist/build a tagged GitHub Release with the npm package tarball attached
License
Apache-2.0. See LICENSE.
This server cannot be installed
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Zw-awa/ssh-session-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server