mcp-ssh-tool
The mcp-ssh-tool server enables autonomous SSH-based remote system management through natural language commands via MCP clients (e.g., GitHub Copilot, VS Code).
SSH Session Management
Open, close, list, and ping SSH sessions
Authenticate via password, SSH key (inline, path, or auto-discovery), or SSH agent
List and resolve hosts/aliases from
~/.ssh/configConnection pooling with TTL and LRU eviction
Command Execution
Run arbitrary commands (
proc_exec) with optional working directory, environment variables, and timeoutExecute commands with sudo privileges (
proc_sudo)
File System Operations (via SFTP or shell fallback)
Read, write, stat, list, create directories, remove, and rename/move files and directories
Configuration & Automation
Ensure packages are installed or removed (
ensure_package)Ensure services are started, stopped, restarted, enabled, or disabled (
ensure_service)Add or remove specific lines in config files (
ensure_lines_in_file)Apply unified diff patches to remote files (
patch_apply)
System Information & Metrics
Detect OS, distro, package manager, init system, and shell (
os_detect)Retrieve server metrics in JSON or Prometheus format
Additional Highlights
Automatic fallback to shell-based file ops for BusyBox/Dropbear (embedded) systems without SFTP
Sensitive data redaction in logs and configurable host key verification
Supports Linux, macOS, and Windows targets
Enables natural language SSH automation within GitHub Copilot, allowing for autonomous file operations and command execution on remote servers.
Supports the remote installation and management of the htop system monitoring tool via automated package management commands.
Provides comprehensive management of Linux-based systems, including process execution with sudo privileges, service control, and file system operations.
Facilitates SSH connectivity and remote command execution on macOS environments using POSIX shell wrappers.
Allows for the remote management of NGINX web servers, including configuration file editing and service state control.
Enables automated package management and system administration specifically tailored for Ubuntu server environments.
mcp-ssh-tool
Production-grade MCP SSH automation for operators, developers, and AI clients. mcp-ssh-tool opens persistent SSH sessions and exposes safe, structured tools for command execution, file operations, transfers, tunnels, package/service management, metrics, resources, and guided prompts.
v2 is secure by default: strict host-key verification is on, root login is off, raw sudo is policy-gated, destructive commands and filesystem mutations are denied unless policy allows them, and remote HTTP starts on loopback only unless bearer auth and allowed origins are configured.
Why This Server
Trust: central policy engine, structured audit events, redacted logs, strict host keys, and machine-readable errors.
MCP quality: stdio for local clients, Streamable HTTP for remote clients, legacy SSE only behind an explicit compatibility flag.
AI-friendly tools: stable output schemas,
structuredContent, annotations for read-only/destructive/idempotent behavior, resources, and curated prompts.Operations: session TTL/eviction, command timeouts, transfer checksum verification, real SSH forwarding, Prometheus metrics, and OpenTelemetry hooks.
Portability: SFTP first, POSIX/BusyBox-aware shell fallbacks for basic file operations, and explicit support boundaries.
Quick Start
Run without installing:
pnpm dlx mcp-ssh-tool --versionOr install globally:
pnpm add --global mcp-ssh-toolAdd a stdio MCP server to your client:
{
"servers": {
"ssh-mcp": {
"type": "stdio",
"command": "mcp-ssh-tool",
"args": []
}
}
}Use it from your MCP client:
Open a safe SSH session to prod-1 as deploy, inspect host capabilities, then show disk usage.Requirements
Node.js
22.22.2+or24.15.0+(LTS only)SSH access to target hosts
A populated
known_hostsfile for strict host verification, or an explicit per-session host-key policy
Transports
Mode | Command | Use When |
stdio |
| Local desktop clients such as ChatGPT, Claude Desktop, VS Code, Cursor, or Codex. |
Streamable HTTP |
| Remote MCP clients, reverse proxies, or Inspector sessions. |
legacy SSE |
| Temporary v1 compatibility only. Prefer Streamable HTTP. |
Non-loopback HTTP startup is refused unless --bearer-token-file, allowed origins, and SSH_MCP_HTTP_PUBLIC_URL are configured.
No-Custody Remote Agent Mode
For public ChatGPT connector deployments, enable the remote-agent control plane instead of asking users for SSH credentials:
SSHAUTOMATOR_REMOTE_AGENT_CONTROL_PLANE=true \
PUBLIC_BASE_URL=https://sshautomator.example.com \
MCP_RESOURCE_URL=https://sshautomator.example.com/mcp \
mcp-ssh-tool http --host 0.0.0.0 --port 3000Remote mode adds OAuth/DCR endpoints, a protected /mcp endpoint, agent enrollment APIs, and outbound WebSocket agent connections. ChatGPT receives OAuth-scoped MCP access. The platform stores identity, policy, audit records, OAuth metadata, hashed one-time tokens, and agent public keys; it does not store user SSH private keys, SSH passwords, root passwords, or cloud login credentials.
Enroll an agent on the user's own host:
npx --yes --package mcp-ssh-tool@latest mcp-ssh-agent enroll --server https://sshautomator.example.com --token <one-time-token> --alias prod-1
npx --yes --package mcp-ssh-tool@latest mcp-ssh-agent runThe agent verifies signed control-plane action envelopes, enforces local policy, executes bounded actions, signs results, and returns them over the outbound connection. See docs/ARCHITECTURE.md, docs/CHATGPT_CONNECTOR.md, and docs/AGENT_INSTALL.md.
Secure Defaults
Area | v2 Default |
Host keys |
|
Root SSH login | denied |
Raw | denied unless |
Destructive commands | denied unless |
Destructive fs operations | allowed only under policy prefixes, denied elsewhere |
Local transfer paths |
|
HTTP bind |
|
Legacy SSE | disabled |
File reads | size-limited by |
Command output | bounded by |
Transfers | bounded by |
Per-session policyMode: "explain" returns a plan/verdict without executing. Use it before mutations when an AI client needs to summarize risk.
Policy Example
Set SSH_MCP_POLICY_FILE=/etc/mcp-ssh-tool/policy.json:
{
"mode": "enforce",
"allowRootLogin": false,
"allowRawSudo": false,
"allowDestructiveCommands": false,
"allowDestructiveFs": false,
"allowedHosts": ["^prod-[0-9]+\\.example\\.com$"],
"commandAllow": ["^(uname|df|uptime|systemctl status)\\b"],
"commandDeny": ["rm\\s+-rf\\s+/", "shutdown", "reboot"],
"pathAllowPrefixes": ["/tmp", "/var/tmp", "/home/deploy"],
"pathDenyPrefixes": ["/etc/shadow", "/etc/sudoers", "/boot", "/dev", "/proc"],
"localPathAllowPrefixes": ["/var/tmp/mcp-ssh-tool"],
"localPathDenyPrefixes": []
}Simple deploys can use environment overrides such as SSH_MCP_ALLOW_RAW_SUDO=true, SSH_MCP_ALLOWED_HOSTS=prod-1.example.com, SSH_MCP_PATH_ALLOW_PREFIXES=/tmp,/home/deploy, or SSH_MCP_LOCAL_PATH_ALLOW_PREFIXES=/var/tmp/mcp-ssh-tool.
Core Tools
ssh_open_session,ssh_close_session,ssh_list_sessions,ssh_ping,ssh_list_configured_hosts,ssh_resolve_hostproc_exec,proc_sudo,proc_exec_streamfs_read,fs_write,fs_list,fs_stat,fs_mkdirp,fs_rmrf,fs_renamefile_upload,file_downloadensure_package,ensure_service,ensure_lines_in_file,patch_applyos_detect,get_metricstunnel_local_forward,tunnel_remote_forward,tunnel_list,tunnel_close
All tools return text plus stable structuredContent. Tool metadata includes titles, output schemas, and annotations that disclose read-only, destructive, idempotent, and external side-effect behavior.
Resources And Prompts
Resources:
mcp-ssh-tool://sessions/activemcp-ssh-tool://metrics/jsonmcp-ssh-tool://metrics/prometheusmcp-ssh-tool://ssh-config/hostsmcp-ssh-tool://policy/effectivemcp-ssh-tool://audit/recentmcp-ssh-tool://capabilities/support-matrix
Prompts:
safe-connectinspect-host-capabilitiesplan-mutationmanaged-config-change
Support Matrix
Target | Status |
Linux | Full support. |
macOS/BSD | Session, process, fs, and transfer supported; package/service helpers only where tested. |
BusyBox/dropbear | Experimental for session, process, and basic fs fallbacks. |
Windows SSH targets | Experimental for session, process, fs, and transfer; no |
Client Examples
ChatGPT or Claude Desktop:
{
"mcpServers": {
"ssh-mcp": {
"command": "pnpm",
"args": ["dlx", "mcp-ssh-tool"]
}
}
}VS Code or Cursor:
{
"servers": {
"ssh-mcp": {
"type": "stdio",
"command": "mcp-ssh-tool"
}
}
}MCP Inspector over HTTP:
printf '%s' 'super-secret-token' > .mcp-token
mcp-ssh-tool --transport=http --host 127.0.0.1 --port 3000 --bearer-token-file .mcp-tokenConfiguration
High-value environment variables:
Variable | Default | Purpose |
| unset | Canonical JSON policy source. |
|
|
|
|
| Known-hosts file for strict verification. |
|
| Max bytes for |
|
| Max text payload bytes accepted by |
|
| Max retained stdout/stderr bytes per command or stream. |
|
| Max retained streaming chunks before truncation metadata is returned. |
|
| Max bytes for |
|
| Default command timeout. |
|
| Streamable HTTP bind host. |
|
| Streamable HTTP port. |
|
| Max JSON request bytes accepted by Streamable HTTP. |
|
| Max concurrent Streamable HTTP/SSE MCP sessions. |
|
| Idle TTL before abandoned HTTP sessions are closed. |
| unset | Required for non-loopback HTTP to publish stable protected-resource metadata. |
|
| Trust |
| OS temp directory | Local transfer allow-list for |
|
| Tunnel bind-host allow-list. |
|
| Tunnel bind-host deny-list. |
| unset | Optional tunnel destination host allow-list. |
| unset | Tunnel destination host deny-list. |
| unset | Optional tunnel port allow-list, including ranges such as |
| unset | Tunnel port deny-list. |
| unset | Required for non-loopback HTTP. |
| loopback origins | Comma-separated allowed origins. |
Deprecated aliases STRICT_HOST_KEY_CHECKING and SSH_MCP_STRICT_HOST_KEY are still accepted for one v2 compatibility cycle. Prefer SSH_MCP_HOST_KEY_POLICY.
Development
Use the exact local runtime from .nvmrc / .node-version, then run:
pnpm install --frozen-lockfile
pnpm run checkLive SSH suites are opt-in:
RUN_SSH_INTEGRATION=1 pnpm run test:integration
RUN_SSH_E2E=1 pnpm run test:e2eLocal quality gates are layered:
pre-commit: formats staged files and lints staged TypeScript onlypre-push: runspnpm run check:pushtask hooks: runs tracked pnpm hooks plus.pre-commit-config.yamlhooks whenpre-commitis installedmanual/full parity:
task ciorpnpm run check
CI/CD Ownership
The personal repository https://github.com/oaslananka/mcp-ssh-tool is the source repository. The organization repository https://github.com/oaslananka-lab/mcp-ssh-tool is the GitHub Actions, CI/CD, release, security, and provenance boundary.
Automatic CI/CD, supply-chain security checks, trusted npm publishing, MCP Registry publishing, GitHub Releases, Docker image validation, SBOMs, attestations, and release decisions run only from the org repository. Personal-repo Actions are intentionally not required gates.
The two repositories must stay content-identical for main, release tags, releases, labels, milestones, and active collaboration state. Org release-generated refs are backfilled to the personal source repository.
The npm package repository.url intentionally points at the org automation repository so npm provenance can verify that the published artifact came from the same GitHub Actions repository that built it. The MCP Registry server name remains io.github.oaslananka/mcp-ssh-tool because it is already published and changing it would break existing users.
See docs/ci-cd-topology.md for mirror, release, dry-run, and manual fallback guidance.
Documentation
License
MIT License. See LICENSE.
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/oaslananka/mcp-ssh-tool'
If you have feedback or need assistance with the MCP directory API, please join our Discord server