mcp-jumpserver-gui-sucks
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-jumpserver-gui-sucksrun 'hostname' on asset-web as root"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mcp-jumpserver-gui-sucks
CAUTION: Operate production machines with extreme care. This MCP assumes no responsibility for production incidents caused by unsafe or incompetent model behavior.
A JumpServer 443-only MCP bridge for coding agents such as Codex and Claude. The project exposes a CLI-first, MFA-compatible, audit-preserving path into JumpServer assets without depending on port 2222 or any GUI-driven workflow in normal use.
Current Status
The main CLI and MCP chain is working against a real JumpServer instance:
CLI-first login with terminal-entered MFA
persisted durable
access_keyauth for REST discoverypersisted authenticated web-session cookies for KoKo terminal flows
asset, node, connect-method, and asset-access discovery
KoKo 443 WebSocket probing
one-shot remote command execution through KoKo
managed multi-turn terminal sessions for MCP-driven shell interaction
managed shell reuse for repeated command execution against the same asset/account target
non-blocking buffered terminal output reads for managed sessions
explicit managed-session command interruption with
Ctrl-Cprocess-local terminal idle reaping and session-cap enforcement
explicit cookie-session refresh probing before terminal work
a line-oriented CLI shell for non-MCP interactive terminal use
The current implementation is usable, but it is not feature-complete yet. The most important known limitation is:
terminal access still depends on a valid cookie-backed web session, so a fully expired terminal session still requires a fresh
loginrun with MFA
Terminal-oriented entry points now accept either the concrete JumpServer account ID/alias required by the API or a user-facing account reference such as root, test-root, or the account username. The MCP resolves that reference to the concrete per-asset account ID before opening terminal sessions or creating connection tokens.
The project does not currently aim to provide file-manager or SFTP coverage.
Related MCP server: sshops
Tracked Project Docs
Upstream Reference Repositories
The repository keeps several untracked upstream JumpServer codebases under extern/ for protocol and behavior reference only. They are not runtime dependencies of this package.
extern/jumpserver: backend API, authentication, and permission-model referenceextern/koko: KoKo terminal gateway and WebSocket behavior referenceextern/luna: legacy web-terminal frontend flow reference, especially around browser-driven terminal bootstrap behaviorextern/lina: newer web UI and API usage-pattern referenceextern/client: official client-side implementation reference for adjacent access workflows
Authentication Model
The runtime intentionally uses two auth layers:
access_keyfor durable REST accessauthenticated web-session cookies for KoKo terminal access
Do not put live session secrets, cookies, or MFA values into MCP client config files. The intended flow is:
Run the CLI login command once.
Complete MFA in the terminal.
Let the tool persist auth state into the user-scoped application state directory.
Start the MCP server from Codex or Claude.
When the live JumpServer deployment enables a login captcha challenge, the CLI login command saves the captcha image under /private/tmp/ and opens it with the system image viewer before prompting for the captcha value in the terminal.
By default, persisted auth state lives under the platform-specific user application state directory:
macOS example:
~/Library/Application Support/mcp-jumpserver-gui-sucks/auth-state.json
Advanced users can override the location with:
MCP_JUMPSERVER_GUI_SUCKS_STATE_DIRMCP_JUMPSERVER_GUI_SUCKS_STATE_FILE
Install
Use the published package directly:
uvx mcp-jumpserver-gui-sucks --helpLogin Before Starting MCP
uvx mcp-jumpserver-gui-sucks login \
--base-url https://jumpserver.example.com \
--username aliceUseful verification commands:
uvx mcp-jumpserver-gui-sucks doctor
uvx mcp-jumpserver-gui-sucks refresh-session --forceThe login command persists state outside the repository. MCP client config should only describe how to find that state, not embed the secrets themselves.
MCP Configuration
The MCP server entrypoint is:
uvx mcp-jumpserver-gui-sucks serveserve defaults to stdio, which is the correct transport for Codex and Claude desktop-style MCP clients.
Recommended Agent Terminal Workflow
When a coding agent plans to work on one machine for more than one command, the recommended workflow is:
Call
jms_terminal_usage_guide.Call
jms_acquire_terminal_sessionwithasset_refandaccount_ref.Use
jms_run_terminal_commandfor short command-style work.Use
jms_send_terminal_inputplusjms_read_terminal_outputfor shell-style interaction.Call
jms_interrupt_terminal_sessionwhen a command needs to be stopped.Call
jms_close_terminal_sessionwhen the task is complete.
This keeps one KoKo shell open per target and avoids leaving many short-lived web-shell records behind in JumpServer.
Codex (~/.codex/config.toml)
This matches the mcp_servers.* structure already used in your local ~/.codex/config.toml:
[mcp_servers.mcp-jumpserver-gui-sucks]
command = "uvx"
args = ["mcp-jumpserver-gui-sucks", "serve"]
startup_timeout_sec = 60.0
tool_timeout_sec = 600.0
[mcp_servers.mcp-jumpserver-gui-sucks.env]
MCP_JUMPSERVER_GUI_SUCKS_BASE_URL = "https://jumpserver.example.com"
MCP_JUMPSERVER_GUI_SUCKS_VERIFY_TLS = "true"
MCP_JUMPSERVER_GUI_SUCKS_TERMINAL_IDLE_TIMEOUT_SECONDS = "3600"
MCP_JUMPSERVER_GUI_SUCKS_TERMINAL_REAP_INTERVAL_SECONDS = "30"
MCP_JUMPSERVER_GUI_SUCKS_MAX_TERMINAL_SESSIONS = "8"
# Optional when the default state directory is not desired.
# MCP_JUMPSERVER_GUI_SUCKS_STATE_DIR = "/Users/alice/Library/Application Support/mcp-jumpserver-gui-sucks"
# MCP_JUMPSERVER_GUI_SUCKS_STATE_FILE = "/Users/alice/Library/Application Support/mcp-jumpserver-gui-sucks/auth-state.json"
# MCP_JUMPSERVER_GUI_SUCKS_ORG_ID = "00000000-0000-0000-0000-000000000002"tool_timeout_sec is a Codex-side MCP client setting. If it is omitted, Codex falls back to its own default per-tool timeout. Increase it when the agent may need to keep a single jms_* call open for longer-running terminal work. For terminal commands, pair it with a larger total_timeout_seconds on the specific jms_run_terminal_command or jms_execute_in_terminal_session call when needed.
Claude (~/.claude.json)
This matches the mcpServers JSON shape already present in your local ~/.claude.json:
{
"mcpServers": {
"mcp-jumpserver-gui-sucks": {
"command": "uvx",
"args": ["mcp-jumpserver-gui-sucks", "serve"],
"env": {
"MCP_JUMPSERVER_GUI_SUCKS_BASE_URL": "https://jumpserver.example.com",
"MCP_JUMPSERVER_GUI_SUCKS_VERIFY_TLS": "true",
"MCP_JUMPSERVER_GUI_SUCKS_TERMINAL_IDLE_TIMEOUT_SECONDS": "3600",
"MCP_JUMPSERVER_GUI_SUCKS_TERMINAL_REAP_INTERVAL_SECONDS": "30",
"MCP_JUMPSERVER_GUI_SUCKS_MAX_TERMINAL_SESSIONS": "8"
}
}
}
}Supported Environment Variables
The current runtime reads these environment variables:
MCP_JUMPSERVER_GUI_SUCKS_BASE_URLMCP_JUMPSERVER_GUI_SUCKS_ORG_IDMCP_JUMPSERVER_GUI_SUCKS_STATE_DIRMCP_JUMPSERVER_GUI_SUCKS_STATE_FILEMCP_JUMPSERVER_GUI_SUCKS_VERIFY_TLSMCP_JUMPSERVER_GUI_SUCKS_LOG_LEVELMCP_JUMPSERVER_GUI_SUCKS_REQUEST_TIMEOUT_SECONDSMCP_JUMPSERVER_GUI_SUCKS_TERMINAL_IDLE_TIMEOUT_SECONDSMCP_JUMPSERVER_GUI_SUCKS_TERMINAL_REAP_INTERVAL_SECONDSMCP_JUMPSERVER_GUI_SUCKS_MAX_TERMINAL_SESSIONS
The recommended minimum MCP config is usually:
MCP_JUMPSERVER_GUI_SUCKS_BASE_URLoptionally
MCP_JUMPSERVER_GUI_SUCKS_STATE_DIRorMCP_JUMPSERVER_GUI_SUCKS_STATE_FILE
PyPI Release Automation
The repository now includes publish-pypi.yml.
Its behavior is intentionally:
every push to
maininspectspyproject.tomlif the package version changed and that version does not already exist on PyPI, GitHub Actions builds and publishes it
if the version did not change, the workflow skips publishing
if the version already exists on PyPI, the workflow skips publishing
workflow_dispatchcan be used to publish the current version manually when it is not yet on PyPI
The publish job uses PyPI Trusted Publishing through GitHub OIDC. Configure PyPI to trust this repository and workflow before expecting the publish step to succeed.
Recommended PyPI trusted publisher settings:
owner:
ArtiPyHeartrepository:
mcp-jumpserver-gui-sucksworkflow file:
.github/workflows/publish-pypi.ymlenvironment name:
pypi
After Trusted Publishing is configured once, later pushes to main that bump project.version in pyproject.toml will publish automatically.
Current CLI Surface
mcp-jumpserver-gui-sucks loginmcp-jumpserver-gui-sucks pathsmcp-jumpserver-gui-sucks doctormcp-jumpserver-gui-sucks refresh-sessionmcp-jumpserver-gui-sucks resolve-targetmcp-jumpserver-gui-sucks koko-probemcp-jumpserver-gui-sucks terminal-execmcp-jumpserver-gui-sucks terminal-shellmcp-jumpserver-gui-sucks save-statemcp-jumpserver-gui-sucks clear-statemcp-jumpserver-gui-sucks serve
Current MCP Tools
jms_pathsjms_statusjms_terminal_usage_guidejms_profilejms_list_nodesjms_list_assetsjms_get_assetjms_list_connect_methodsjms_get_asset_accessjms_resolve_terminal_targetjms_list_connection_tokensjms_create_connection_tokenjms_expire_connection_tokenjms_refresh_terminal_authjms_probe_koko_terminaljms_acquire_terminal_sessionjms_list_terminal_sessionsjms_send_terminal_inputjms_read_terminal_outputjms_run_terminal_commandjms_interrupt_terminal_sessionjms_resize_terminal_sessionjms_close_terminal_session
Operational Notes
Managed terminal sessions are process-local and intended to live only for the MCP server process lifetime.
jms_terminal_usage_guidereturns the preferred terminal workflow for coding agents and should be consulted at the start of terminal-heavy work.jms_acquire_terminal_sessionis the preferred high-level entrypoint for repeated work on one machine because it resolves the target and reuses an existing shell when possible.jms_run_terminal_commandis the preferred path for short command execution on an already acquiredsession_handle.jms_send_terminal_inputplusjms_read_terminal_outputare the preferred path for shell-style interaction and incremental polling.jms_interrupt_terminal_sessionis the supported way to stop a running managed-session command without throwing away the shell immediately.jms_interrupt_terminal_sessionacceptsctrl_cand the common aliasSIGINT; both normalize to the same Ctrl+C behavior.The default managed shell idle timeout is 1 hour. Override it with
MCP_JUMPSERVER_GUI_SUCKS_TERMINAL_IDLE_TIMEOUT_SECONDSif a different retention window is required.When the MCP server process exits normally, it closes all managed KoKo shells before returning.
terminal-shellis line-oriented, not a full raw TTY emulator.Terminal entrypoints preflight the cookie-backed web session before opening KoKo.
If the cookie-backed session is already invalid, terminal calls fail early with an explicit re-login requirement instead of a low-level websocket failure.
REST discovery can continue to work when the durable
access_keyremains valid, even if terminal access requires a fresh login.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ArtiPyHeart/mcp-jumpserver-gui-sucks'
If you have feedback or need assistance with the MCP directory API, please join our Discord server