Which integrations are available for this server?

Enables VS Code Copilot Chat to perform hardened SSH operations and manage remote Linux systems through a natural language interface using the Model Context Protocol. Allows secure management of remote Linux servers via SSH, providing tools for host discovery, templated command execution, SFTP file transfers, and SSH certificate lifecycle management.

SSH MCP Server by bhayanak

What Is This?

SSH MCP Server lets you manage remote Linux servers through natural language in VS Code Copilot Chat. Instead of switching to a terminal and remembering SSH commands, you just ask:

"Check disk usage on production-web"

"Show me the last 200 lines of /var/log/nginx/error.log on staging"

"Download /var/log/syslog from web-server-01 for incident INC-2026-0309"

The server enforces strict security policies — no raw shell access, all commands go through pre-approved templates, parameters are regex-validated, secrets in output are auto-redacted, and privileged operations require an approval workflow.

Features

23 MCP tools — host discovery, session management, command execution (sync + background), file transfer, SFTP operations, SSH key management, certificate lifecycle, approval workflows
Template-only execution — no raw shell; every command matches a registered template with regex-validated parameters
3-tier security model — read-only (Tier 0), controlled mutation with confirmation (Tier 1), privileged with approval workflow (Tier 2)
Automatic secret redaction — AWS keys, bearer tokens, passwords, private keys are scrubbed from output
Tamper-evident audit log — every operation is logged with hash-chain integrity verification
Short-lived SSH certificates — issue and revoke certificates with TTL enforcement via a local CA
Persistent SSH sessions — connection pooling with keepalive probes and configurable idle timeout
Background command execution — run long-running template commands asynchronously with output polling
Path traversal protection — .. sequences blocked in all path parameters and file transfers
Transfer policy — allowed paths, blocked extensions, size limits, mandatory justification for downloads

Quick Start

Prerequisites

Python 3.11+
VS Code with GitHub Copilot extension
SSH access to at least one remote Linux host

Install

As vscode plugin

Follow instructions on link:

https://marketplace.visualstudio.com/items?itemName=bhayanak.ssh-mcp-server-secure

Python package: https://pypi.org/project/ssh-mcp-server-copilot/

Install from Source (for development / contributing)

git clone https://github.com/bhayanak/ssh-mcp-server.git
cd ssh-mcp-server

python -m venv .venv
source .venv/bin/activate   # macOS/Linux
# .venv\Scripts\activate    # Windows

pip install -e ".[dev]"

For local development, create .vscode/mcp.json pointing to the local source:

{
  "servers": {
    "ssh-mcp": {
      "type": "stdio",
      "command": "${workspaceFolder}/.venv/bin/python",
      "args": ["-m", "ssh_mcp.server"],
      "env": {
        "SSH_MCP_CONFIG_DIR": "${workspaceFolder}/config",
        "SSH_MCP_HOSTS_FILE": "${workspaceFolder}/config/hosts.json",
        "SSH_MCP_TEMPLATES_FILE": "${workspaceFolder}/config/templates.json",
        "SSH_MCP_AUDIT_LOG_DIR": "${workspaceFolder}/audit_logs",
        "SSH_MCP_CERT_DATA_DIR": "${workspaceFolder}/cert_data",
        "SSH_MCP_APPROVAL_DATA_DIR": "${workspaceFolder}/approval_data",
        "SSH_MCP_SSH_KNOWN_HOSTS_FILE": "~/.ssh/known_hosts"
      }
    }
  }
}

Configure Your Hosts

Edit the hosts file with your actual servers. If you used ssh-mcp-server-copilot init, edit ~/.ssh-mcp/hosts.json. If developing from source, edit config/hosts.json.

[
  {
    "host_id": "my-server",
    "hostname": "192.168.1.10",
    "port": 22,
    "ssh_user": "deploy",
    "labels": {"env": "production", "role": "web"},
    "description": "Production web server",
    "allowed_roles": ["operator", "admin"]
  }
]

Field	Required	Description
`host_id`	Yes	Unique identifier (alphanumeric, dots, dashes)
`hostname`	Yes	IP address or FQDN
`port`	No	SSH port (default: 22)
`ssh_user`	Yes*	Remote SSH username. If empty, uses your OS username
`labels`	No	Key-value tags for organization
`description`	No	Human-readable description
`allowed_roles`	No	Which roles can access this host (default: operator, admin)

Set Up SSH Access

Your SSH key must be authorized on each host:

# Generate a key if you don't have one
ssh-keygen -t ed25519 -C "your-email@example.com"

# Copy to each host
ssh-copy-id -i ~/.ssh/id_ed25519.pub deploy@192.168.1.10

# Load into ssh-agent (required — the MCP server uses the agent)
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

# Verify access
ssh deploy@192.168.1.10 "echo OK"

Add host keys to known_hosts:

ssh-keyscan -H 192.168.1.10 >> ~/.ssh/known_hosts

Start Using

Open the workspace in VS Code
The MCP server auto-starts from .vscode/mcp.json
Open Copilot Chat (Cmd+Shift+I / Ctrl+Shift+I)
Switch to "Agent" mode (critical — only Agent mode can invoke MCP tools)
Verify tools are loaded — click the tools icon in the chat input bar, you should see 23 tools from ssh-mcp

Now just ask in natural language:

> List all my SSH hosts
> Check disk usage on my-server
> Show me the last 100 lines of /var/log/syslog on my-server
> What's the status of nginx on my-server?

Tools (23)

Tier 0 — Read-Only (No Confirmation)

Tool	Description
`list_hosts`	List all configured SSH hosts with labels and metadata
`get_host_facts`	Get OS, uptime, kernel info from a host
`get_audit_logs`	View the tamper-evident audit trail
`list_templates`	List available command templates
`list_pending_approvals`	View pending approval requests

Session Management

Tool	Description
`ssh_connect`	Open a persistent SSH session (returns session_id for reuse)
`ssh_disconnect`	Close a persistent session
`ssh_list_sessions`	List active sessions and remaining connection slots
`ssh_session_ping`	Health-check a session (liveness, idle time, uptime)

Tier 1 — Controlled Mutation (Confirmation Required)

Tool	Description
`run_ssh_command`	Execute a template command on a host (supports `session_id` for persistent connections)
`transfer_file`	Download/upload files via SFTP with path and extension policies (supports `session_id`)

Background Command Execution

Tool	Description
`run_ssh_command_background`	Start a template command in the background (returns job_id)
`poll_background_job`	Read accumulated stdout/stderr of a background job (redacted)
`list_background_jobs`	List all background jobs (running + completed)
`cancel_background_job`	Cancel a running background job

Enhanced SFTP

Tool	Description
`sftp_list_directory`	List files in a remote directory (within allowed paths)
`sftp_delete`	Delete a remote file (within allowed paths, requires justification)

Tier 2 — Privileged (Approval Required)

Tool	Description
`add_ssh_key`	Register a public SSH key with TTL enforcement
`remove_ssh_key`	Revoke a registered SSH key
`issue_cert`	Issue a short-lived SSH certificate via the local CA
`revoke_cert`	Revoke a certificate and delete its PEM
`request_approval` / `approve_request`	Approval workflow for privileged ops

Configuration

Command Templates

Templates define which commands can be executed. Edit config/templates.json:

[
  {
    "template_id": "disk_usage",
    "description": "Show disk usage summary",
    "command": "df -h",
    "allowed_params": {},
    "allowed_roles": ["developer", "operator", "admin"],
    "timeout_seconds": 10,
    "risk_level": "low"
  },
  {
    "template_id": "tail_log",
    "description": "Tail the last N lines of a log file",
    "command": "tail -n {lines} {log_path}",
    "allowed_params": {
      "lines": "^[0-9]{1,5}$",
      "log_path": "^/var/log/[a-zA-Z0-9_./-]+$"
    },
    "allowed_roles": ["operator", "admin"],
    "timeout_seconds": 15,
    "risk_level": "low"
  }
]

Each parameter is validated against a regex pattern before substitution. Path traversal (..) is blocked automatically.

Environment Variables

All configuration is via environment variables with the SSH_MCP_ prefix:

Variable	Default	Description
`SSH_MCP_CONFIG_DIR`	`~/.ssh-mcp`	Base config directory (all other paths derive from this)
`SSH_MCP_HOSTS_FILE`	`{config_dir}/hosts.json`	Path to hosts configuration
`SSH_MCP_TEMPLATES_FILE`	`{config_dir}/templates.json`	Path to command templates
`SSH_MCP_AUDIT_LOG_DIR`	`{config_dir}/audit_logs`	Audit log directory
`SSH_MCP_CERT_DATA_DIR`	`{config_dir}/cert_data`	Certificate storage directory
`SSH_MCP_APPROVAL_DATA_DIR`	`{config_dir}/approval_data`	Approval data directory
`SSH_MCP_MAX_SESSIONS`	`10`	Max simultaneous SSH sessions
`SSH_MCP_SESSION_IDLE_TIMEOUT`	`300`	Idle session timeout (seconds)
`SSH_MCP_KEEPALIVE_INTERVAL`	`15`	SSH keepalive interval (seconds)
`SSH_MCP_KEEPALIVE_COUNT_MAX`	`3`	Max failed keepalive probes before disconnect
`SSH_MCP_MAX_BACKGROUND_JOBS`	`10`	Max concurrent background jobs
`SSH_MCP_JOB_OUTPUT_MAX_BYTES`	`1048576`	Max output buffer per background job (1 MB)
`SSH_MCP_JOB_TTL_SECONDS`	`3600`	Background job auto-expiry (1 hour)
`SSH_MCP_SSH_KNOWN_HOSTS_FILE`	(none)	Path to SSH known_hosts file
`SSH_MCP_REQUIRE_TWO_PARTY_APPROVAL`	`true`	Require different user as approver
`SSH_MCP_AUTH_TOKEN`	(none)	Bearer token (empty = dev mode)
`SSH_MCP_SSH_TIMEOUT_SECONDS`	`30`	SSH connection timeout

Transfer Policy (Defaults)

Setting	Default
Allowed paths	`/tmp/`, `/var/log/`
Blocked extensions	`.exe`, `.sh`, `.bat`, `.ps1`, `.dll`, `.so`
Max file size	50 MB
Require justification for downloads	Yes

Roles

Role	Access
`developer`	Read-only tools, low-risk commands
`operator`	All Tier 0 + Tier 1 tools
`admin`	All tools including Tier 2 (key/cert management)
`auditor`	Audit log access

Security

Design Principles

No raw shell — all commands go through registered templates
Parameter validation — every parameter is regex-validated before substitution
Path traversal blocking — .. sequences rejected in all parameters and file paths
Secret redaction — AWS keys, bearer tokens, passwords, private keys automatically scrubbed from output
Approval workflow — privileged operations (key/cert management) require explicit approval with HMAC-verified tokens
Tamper-evident audit — hash-chained audit log for forensic analysis
Strict host validation — paramiko RejectPolicy by default (no auto-accepting unknown hosts)
TTL enforcement — SSH certificates and keys have configurable maximum lifetimes

Approval Workflow

Tier 2 operations follow a 3-step flow:

1. request_approval  →  returns request_id + one-time approval_token
2. approve_request   →  verifies HMAC token, marks approved
3. call the tool     →  pass approval_request_id, consumed after use

With REQUIRE_TWO_PARTY_APPROVAL=true (production), a different user must approve.

Audit Log Verification

python -c "
from ssh_mcp.audit import AuditLogger
from pathlib import Path
logger = AuditLogger(Path('audit_logs'))
ok, msg = logger.verify_chain()
print(f'Chain integrity: {ok} — {msg}')
"

Testing

Unit Tests

# Run all tests
pytest tests/ -v

# With coverage
pytest tests/ -v --cov=ssh_mcp

Runtime Directories (git-ignored, auto-created)

Directory	Purpose
`audit_logs/`	Tamper-evident audit log (`audit.jsonl`)
`cert_data/`	CA keys, issued certificates, revocation list
`approval_data/`	Pending and consumed approval requests

CLI Reference

ssh-mcp-server-copilot --version          # Print version
ssh-mcp-server-copilot init               # Create ~/.ssh-mcp with default configs
ssh-mcp-server-copilot                    # Start MCP server (stdio transport)
ssh-mcp-server-copilot --config-dir PATH  # Use custom config directory
ssh-mcp-server-copilot --config-dir PATH init  # Init a custom config directory

Contributing

Fork the repository
Create a feature branch: git checkout -b feature/my-feature
Make your changes
Run tests: pytest tests/ -v
Lint: ruff check src/ tests/
Submit a pull request

License

MIT

SSH MCP Server