ssh-mcp-pro
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| PORT | No | Compatibility alias for SSH_MCP_HTTP_PORT. | |
| SSH_MCP_DEBUG | No | Enables debug-oriented configuration behavior. | false |
| KNOWN_HOSTS_PATH | No | Compatibility alias for SSH_MCP_KNOWN_HOSTS_PATH. | |
| SSH_MCP_HTTP_HOST | No | Streamable HTTP bind host. | 127.0.0.1 |
| SSH_MCP_HTTP_PORT | No | Streamable HTTP bind port. | 3000 |
| SSH_MCP_RATE_LIMIT | No | Enables the global MCP request rate limiter. | true |
| SSH_MCP_POLICY_FILE | No | JSON file containing partial policy overrides. | |
| SSH_MCP_POLICY_MODE | No | Policy decision mode: enforce or explain. | enforce |
| SSH_MCP_SESSION_TTL | No | Session time-to-live in milliseconds. | 900000 |
| SSH_MCP_COMMAND_DENY | No | Command deny patterns. | |
| SSH_MCP_MAX_SESSIONS | No | Maximum concurrent SSH sessions. | 20 |
| SSH_MCP_OAUTH_ISSUER | No | Expected OAuth issuer. | |
| SSH_MCP_TOOL_PROFILE | No | Active tool exposure profile. | full |
| SSH_MCP_ALLOWED_HOSTS | No | Host allowlist for policy and remote connector safety checks. | |
| SSH_MCP_COMMAND_ALLOW | No | Command allow patterns. | |
| SSH_MCP_MAX_FILE_SIZE | No | Maximum bytes returned by text-focused file reads. | 10485760 |
| SSH_MCP_ALLOW_RAW_SUDO | No | Allows raw proc_sudo; prefer ensure_* tools. | false |
| SSH_MCP_HTTP_AUTH_MODE | No | HTTP auth mode: bearer or oauth. | bearer |
| SSH_MCP_OAUTH_AUDIENCE | No | Expected OAuth audience. | |
| SSH_MCP_OAUTH_JWKS_URL | No | OAuth JWKS URL. | |
| SSH_MCP_OAUTH_RESOURCE | No | OAuth protected resource identifier. | |
| SSH_MCP_RATE_LIMIT_MAX | No | Maximum requests per rate-limit window. | 100 |
| SSH_MCP_ALLOWED_CIPHERS | No | Optional SSH cipher allowlist. | |
| SSH_MCP_COMMAND_TIMEOUT | No | Default remote command timeout in milliseconds. | 30000 |
| SSH_MCP_HOST_KEY_POLICY | No | Host-key mode: strict, accept-new, or insecure. | strict |
| SSH_MCP_HTTP_PUBLIC_URL | No | Stable public HTTPS MCP URL for protected resource metadata. | |
| SSH_MCP_STRICT_HOST_KEY | No | Legacy boolean alias for strict vs insecure host-key checking. | |
| SSH_MCP_ALLOW_ROOT_LOGIN | No | Allows SSH login as root and mirrors into policy. | false |
| SSH_MCP_HTTP_TRUST_PROXY | No | Trust reverse proxy forwarded headers. | false |
| SSH_MCP_KNOWN_HOSTS_PATH | No | Known hosts file used for strict host-key verification. | ~/.ssh/known_hosts |
| STRICT_HOST_KEY_CHECKING | No | Compatibility alias for SSH_MCP_HOST_KEY_POLICY. | |
| SSH_MCP_CONNECTOR_PROFILE | No | Alias for SSH_MCP_TOOL_PROFILE. | full |
| SSH_MCP_ENABLE_LEGACY_SSE | No | Enables legacy SSE compatibility. | false |
| SSH_MCP_HTTP_MAX_SESSIONS | No | Maximum active Streamable HTTP MCP sessions. | 20 |
| SSH_MCP_MAX_STREAM_CHUNKS | No | Maximum retained streaming chunks. | 4096 |
| SSH_MCP_TUNNEL_DENY_PORTS | No | Optional tunnel port denylist. | |
| SSH_MCP_MAX_TRANSFER_BYTES | No | Maximum upload or download transfer size. | 52428800 |
| SSH_MCP_PATH_DENY_PREFIXES | No | Remote path prefixes denied by filesystem policy. | /etc/sudoers,/etc/shadow,/etc/passwd,/boot,/dev,/proc |
| SSH_MCP_TUNNEL_ALLOW_PORTS | No | Optional tunnel port allowlist. | |
| SSH_MCP_PATH_ALLOW_PREFIXES | No | Remote path prefixes allowed by filesystem policy. | /tmp,/var/tmp,/home,/Users |
| SSH_MCP_ALLOW_DESTRUCTIVE_FS | No | Allows destructive filesystem operations such as fs_rmrf. | false |
| SSH_MCP_HTTP_ALLOWED_ORIGINS | No | Browser origins allowed for HTTP clients. | http://127.0.0.1,http://localhost |
| SSH_MCP_MAX_FILE_WRITE_BYTES | No | Maximum accepted write payload before buffering. | 10485760 |
| SSH_MCP_RATE_LIMIT_WINDOW_MS | No | Rate-limit window in milliseconds. | 60000 |
| SSH_MCP_OAUTH_REQUIRED_SCOPES | No | Required OAuth scopes. | ssh-mcp-pro.read |
| SSH_MCP_HTTP_BEARER_TOKEN_FILE | No | Bearer token file for HTTP transport. Required for non-loopback bearer deployments. | |
| SSH_MCP_RATE_LIMIT_PER_SESSION | No | Enables per-session MCP request rate limiting when tool arguments include sessionId. | true |
| SSH_MCP_TUNNEL_DENY_BIND_HOSTS | No | Local bind hosts denied for tunnels. | 0.0.0.0,:: |
| SSH_MCP_TUNNEL_ALLOW_BIND_HOSTS | No | Local bind hosts allowed for tunnels. | 127.0.0.1,localhost,::1 |
| SSH_MCP_HTTP_SESSION_IDLE_TTL_MS | No | HTTP MCP session idle timeout in milliseconds. | 900000 |
| SSH_MCP_LOCAL_PATH_DENY_PREFIXES | No | Local paths denied for transfer operations. | |
| SSH_MCP_MAX_COMMAND_OUTPUT_BYTES | No | Maximum buffered stdout/stderr bytes per command result. | 1048576 |
| SSH_MCP_OAUTH_ALLOWED_ALGORITHMS | No | Optional comma-separated JWT algorithm allowlist. | |
| SSH_MCP_TUNNEL_DENY_REMOTE_HOSTS | No | Optional remote tunnel target host denylist. | |
| SSH_MCP_LOCAL_PATH_ALLOW_PREFIXES | No | Local paths allowed for transfer operations. | OS temp directory |
| SSH_MCP_TUNNEL_ALLOW_REMOTE_HOSTS | No | Optional remote tunnel target host allowlist. | |
| SSH_MCP_ALLOW_DESTRUCTIVE_COMMANDS | No | Allows commands matching destructive command policy. | false |
| SSH_MCP_CONNECTOR_DEFAULT_USERNAME | No | Default username for connector broker flows. | |
| SSH_MCP_RATE_LIMIT_PER_SESSION_MAX | No | Maximum requests per SSH session per rate-limit window. | 50 |
| SSH_MCP_HTTP_MAX_REQUEST_BODY_BYTES | No | Maximum HTTP request body size. | 1048576 |
| SSH_MCP_CONNECTOR_CREDENTIAL_COMMAND | No | External credential command when provider is command. | |
| SSH_MCP_REMOTE_AGENT_MCP_PASSTHROUGH | No | When enabled with 1, true, yes, or on, lets /mcp requests bypass the remote control plane. | |
| SSH_MCP_CONNECTOR_CREDENTIAL_PROVIDER | No | Credential provider: none, agent, or command. | none |
| SSH_MCP_RATE_LIMIT_PER_SESSION_WINDOW_MS | No | Per-session rate-limit window in milliseconds. | 60000 |
| SSH_MCP_CONNECTOR_CREDENTIAL_COMMAND_ARGS | No | Arguments passed to the external credential command. | |
| SSH_MCP_CONNECTOR_CREDENTIAL_COMMAND_TIMEOUT_MS | No | Credential command timeout in milliseconds. | 5000 |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {} |
| prompts | {} |
| resources | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| connector_statusA | Use this when ChatGPT or Claude needs to understand the remote connector profile, authentication mode, and credential broker readiness without exposing secrets. |
| ssh_hosts_listA | Use this when ChatGPT or Claude needs a safe list of SSH host aliases that may be inspected through the remote connector. Sensitive login material is omitted. |
| ssh_policy_explainA | Use this when ChatGPT or Claude needs to explain whether a requested SSH inspection or mutation would be allowed. This is explain-only and does not execute commands or open tunnels. |
| ssh_host_inspectA | Use this when ChatGPT or Claude needs read-only host inspection through the server-side credential broker. The user supplies only a configured host alias and selected checks; no secret material or login details are accepted. |
| ssh_mutation_planA | Use this when ChatGPT or Claude needs a non-executing plan for a remote SSH change. It never runs commands, writes files, uploads data, starts tunnels, or escalates privileges. |
| ssh_open_sessionB | Opens a new SSH session with authentication |
| ssh_close_sessionB | Closes an SSH session |
| ssh_list_sessionsA | Lists all active SSH sessions with their details |
| ssh_pingA | Checks if an SSH session is still alive and responsive |
| ssh_list_configured_hostsA | Lists all hosts configured in ~/.ssh/config |
| ssh_resolve_hostA | Resolves a host alias from ~/.ssh/config to connection parameters |
| proc_execA | Executes a non-interactive command on the remote system after policy and safety checks |
| proc_sudoA | Executes a command with sudo privileges only when allowRawSudo policy permits it |
| proc_listA | Lists running processes on the remote system sorted by CPU usage |
| proc_killB | Sends a signal to a running process by PID |
| proc_exec_streamB | Executes a command and returns streaming output chunks |
| fs_readB | Reads a file from the remote system |
| fs_writeA | Writes data to a file on the remote system |
| fs_statB | Gets file or directory statistics |
| fs_listA | Lists directory contents |
| fs_mkdirpA | Creates directories recursively |
| fs_rmrfA | Removes files or directories recursively |
| fs_renameB | Renames or moves a file/directory |
| ensure_packageB | Ensures a package is installed or removed |
| ensure_serviceA | Ensures a service is in the desired state |
| ensure_lines_in_fileA | Ensures specific lines are present or absent in a file |
| patch_applyB | Applies a patch to a file |
| os_detectA | Detects operating system and environment information |
| get_metricsA | Returns server metrics including session counts, command statistics, and uptime |
| service_listA | Lists all systemd services and their current state |
| service_statusB | Gets the status of a systemd service |
| service_logsA | Reads recent journal logs for a systemd service |
| service_restartB | Restarts a systemd service |
| service_stopA | Stops a systemd service |
| disk_usageA | Reports disk usage for filesystems on the remote system |
| memory_infoA | Reports memory usage on the remote system |
| cpu_usageA | Reports CPU load average and uptime on the remote system |
| net_interfacesA | Lists network interfaces and their IP addresses on the remote system |
| port_checkB | Checks which processes are listening on a specific port |
| log_tailA | Tails the end of a log file or reads recent journal entries for a service |
| file_uploadA | Uploads a local file to the remote host over SFTP |
| file_downloadA | Downloads a remote file to the local machine over SFTP |
| tunnel_local_forwardC | Creates a local SSH port forward |
| tunnel_remote_forwardB | Creates a remote SSH port forward |
| tunnel_closeB | Closes an active tunnel |
| tunnel_listA | Lists active tunnels, optionally filtered by session |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| safe-connect | Open an SSH session using strict host-key verification and explain the safety posture. |
| inspect-host-capabilities | Detect OS, package manager, init system, SFTP availability, and active policy. |
| plan-mutation | Use explain mode and policy resources to summarize a risky remote change first. |
| managed-config-change | Read a config, produce a minimal patch, dry-run it, and apply only if policy allows it. |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| Active SSH sessions | Current in-memory SSH sessions tracked by the session manager |
| Metrics snapshot | Current runtime metrics in JSON format |
| Prometheus metrics | Prometheus-formatted metrics export |
| Configured SSH hosts | Parsed host aliases from the local ~/.ssh/config cache |
| Effective safety policy | Current command, path, host, and privilege policy after env/file overrides |
| Recent audit events | Recent policy and high-risk operation audit events |
| Support matrix | Supported and experimental host capabilities for this server |
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/oaslananka/ssh-mcp-pro'
If you have feedback or need assistance with the MCP directory API, please join our Discord server