SSH MCP Server

List all allowed SSH hosts with metadata (labels, roles, description).

No authentication required beyond basic identity. Risk level: low.

Get safe host metadata (OS, uptime, kernel) — no secrets.

Risk level: low.

List all available command templates that can be used with run_ssh_command.

Each template defines a pre-approved command pattern with its allowed parameters, roles, and risk level. Use the template_id when calling run_ssh_command.

Risk level: low.

Return the last N audit log entries. Read-only.

Risk level: low.

Execute a pre-approved command template on a target host.

Use list_templates to discover available template_ids. Examples:

• disk_usage: run df -h (no params needed)

• service_status: check a systemd service (params: {"service": "docker"})

• list_processes: show top processes by memory (no params needed)

• tail_log: tail a log file (params: {"lines": "100", "log_path": "/var/log/syslog"})

Only commands from the template registry are allowed. Parameters are validated against per-template regex rules. Output is automatically redacted for secrets.

Pass session_id from ssh_connect to reuse a persistent connection.

Risk level: medium (requires user confirmation in VS Code).

Upload or download a file to/from a remote host.

Enforces path policy, blocked extensions, and size limits. Downloads require a justification string. For uploads, provide local_path (the file to upload).

Pass session_id from ssh_connect to reuse a persistent connection.

Risk level: medium-high (requires user confirmation).

Register a new SSH public key with policy checks.

Validates key format and strength. Enforces TTL limits from key policy. Requires ADMIN role and prior approval.

Risk level: high (requires approval).

Revoke / remove an SSH key by its key_id.

Requires ADMIN role and prior approval. Risk level: high.

Issue a short-lived SSH certificate for a user.

Certificates are signed by the local CA with a tight TTL. Requires ADMIN role and prior approval.

Risk level: high.

Revoke an issued SSH certificate.

Revoked certificates are added to the revocation list and their PEM files are deleted. Requires ADMIN role and prior approval.

Risk level: high.

Request approval for a privileged (Tier 2) operation.

Returns a request_id and one-time approval_token. The token must be presented to the approver. The request_id is then passed to the privileged tool.

Risk level: low (creating a request is safe).

Approve a pending approval request.

In two-party mode, the approver must be a different user from the requester.

Risk level: high (grants execution permission).

List all pending approval requests.

Risk level: low (read-only).

Open a persistent SSH session to a host.

Returns a session_id that can be passed to run_ssh_command and transfer_file to reuse the connection. Sessions have keepalive probes and auto-close after idle timeout.

Risk level: low.

Close a persistent SSH session.

Risk level: low.

List all active SSH sessions and remaining connection slots.

Risk level: low.

Health-check a persistent SSH session.

Returns liveness, idle time, and uptime. Risk level: low.

Start a template command in the background (non-blocking).

Returns a job_id immediately. Use poll_background_job to read output, list_background_jobs to see all jobs, or cancel_background_job to stop.

Same template-only security model as run_ssh_command. Risk level: medium (requires user confirmation).

Read accumulated output and status of a background job (redacted).

Returns new stdout since last poll, plus current status and exit code. Risk level: low (read-only).

List all background jobs (running + completed).

Risk level: low (read-only).

Cancel a running background job.

Risk level: medium (requires user confirmation).

List files and directories at a remote path.

Only paths within the configured allowed_paths are accessible. Risk level: low (read-only).

Delete a remote file via SFTP.

Only files within allowed_paths can be deleted. Blocked extensions are enforced. Requires a justification. Risk level: medium (requires user confirmation).