SSH MCP Server
Enables remote server administration via SSH, supporting command execution, SFTP file transfers, and multi-profile management. It features security safeguards like destructive command detection and audit logging to ensure safe interaction with remote Linux/Unix environments.
README
SSH MCP Server
MCP (Model Context Protocol) server for remote server administration via SSH. Supports multiple profiles, remote command execution, interactive commands (PTY), persistent shell sessions, file transfer (SFTP), destructive command detection with audit logging, and operation history with undo capabilities.
Architecture
General Overview
graph TB
Client["Claude Desktop<br/>(or any MCP client)"]
Server["SSH MCP Server"]
MCP["MCP SDK<br/>(stdio)"]
Router["Tool Router<br/>(index.ts)"]
Security["Security Module<br/>- Dangerous cmd detection<br/>- Audit logging"]
SSH["SSH Client (ssh2)"]
Exec["exec()<br/>- Commands<br/>- cat (read)"]
Interactive["exec() + PTY<br/>- Interactive commands<br/>- Auto prompt response"]
Shell["shell() + PTY<br/>- Persistent sessions<br/>- REPLs / multi-step"]
SFTP["SFTP (lazy init)<br/>- upload / download<br/>- ls / write / readdir"]
Remote["Remote Server<br/>(Linux/Unix)"]
Client -->|"stdio (JSON-RPC)"| Server
Server --- MCP
MCP --> Router
Router --> Security
Router --> SSH
SSH --- Exec
SSH --- Interactive
SSH --- Shell
SSH --- SFTP
SSH -->|"SSH (TCP :22)"| Remote
Connection and Execution Flow
flowchart TD
Start([Start]) --> ListProfiles["ssh_list_profiles<br/>View available profiles"]
ListProfiles --> Connect["ssh_connect<br/>(profile name)"]
Connect -->|Password not found| Error["Error: env var<br/>SSH_PASSWORD_NAME missing"]
Connect -->|OK| Active["Active Connection<br/>(1 profile at a time)"]
Active --> ExecBranch["ssh_exec<br/>(command)"]
Active --> InteractiveBranch["ssh_exec_interactive<br/>(command + auto-responses)"]
Active --> ShellBranch["Shell Sessions<br/>start / send / read / close"]
Active --> SFTPBranch["SFTP operations<br/>upload / download<br/>ls / read / write"]
Active --> StatusBranch["ssh_status<br/>ssh_disconnect"]
ExecBranch --> DangerCheck{"Dangerous<br/>command?<br/>(regex)"}
InteractiveBranch --> DangerCheck
DangerCheck -->|No| Execute["Execute command"]
DangerCheck -->|Yes| ConfirmCheck{"confirm:<br/>true?"}
ConfirmCheck -->|Yes| Execute
ConfirmCheck -->|No| Warning["WARNING<br/>(not executed)"]
ShellBranch -->|"send (raw:false)"| DangerCheck
ShellBranch -->|"send (raw:true)"| Execute
Execute --> Audit["audit.log"]
SFTPBranch --> Audit
Warning --> Audit
Security Flow (Dangerous Commands)
flowchart LR
Input["Command received"] --> Check["isDangerousCommand()<br/>(16 regex patterns)"]
Check -->|Safe| Exec["Execute command"]
Check -->|Dangerous| Confirm{"confirm: true?"}
Confirm -->|Yes| Exec
Confirm -->|No| Warn["WARNING returned<br/>(command NOT executed)"]
Exec --> Log["audit.log"]
Warn --> Log
subgraph Detected Patterns
P1["rm -rf /"]
P2["mkfs.*"]
P3["dd if="]
P4["reboot / shutdown / halt"]
P5["chmod 777 / chown -R"]
P6["fork bomb"]
P7["systemctl stop/disable"]
P8["killall / iptables -F"]
end
Project Structure
s01_ssh_mcp/
├── src/
│ ├── index.ts # SSHMCPServer class — tool router, SSH logic, interactive/shell handlers
│ ├── tools.ts # MCP tool definitions (17 tools, JSON schemas)
│ ├── profiles.ts # Profile loading + password injection from env
│ ├── security.ts # Dangerous command detection + AuditLogger
│ └── types.ts # Interfaces: SSHProfile, AuditEntry, PromptResponse, ShellSession, CommandRecord, ReverseInfo
├── dist/ # Compiled output (generated by tsc)
├── profiles.json # SSH server configuration
├── .env # Passwords (not versioned)
├── audit.log # Audit log (generated at runtime)
├── package.json
└── tsconfig.json
Setup
1. Server Profiles
Edit profiles.json:
{
"production": {
"host": "192.168.1.100",
"port": 22,
"username": "deploy"
},
"staging": {
"host": "192.168.1.101",
"port": 22,
"username": "deploy"
}
}
2. Passwords
Create .env (copy from .env.example):
SSH_PASSWORD_PRODUCTION=your_password
SSH_PASSWORD_STAGING=your_password
Format: SSH_PASSWORD_<PROFILE_NAME_UPPERCASE>.
3. Build and Run
npm install
npm run build
npm start
4. MCP Configuration (Claude Desktop)
Option A: Using npx (recommended)
No local installation required — just add to your Claude Desktop config (claude_desktop_config.json):
{
"mcpServers": {
"ssh": {
"command": "npx",
"args": ["-y", "s01-ssh-mcp"],
"env": {
"SSH_PASSWORD_PRODUCTION": "your_password",
"SSH_PASSWORD_STAGING": "your_password"
}
}
}
}
Option B: Local installation
{
"mcpServers": {
"ssh": {
"command": "node",
"args": ["/path/to/s01_ssh_mcp/dist/index.js"],
"env": {
"SSH_PASSWORD_PRODUCTION": "your_password",
"SSH_PASSWORD_STAGING": "your_password"
}
}
}
}
Note: You can optionally set
SSH_PROFILES_PATHinenvto point to aprofiles.jsonin a different location.
Available Tools
| Tool | Description | Requires Connection |
|---|---|---|
ssh_list_profiles |
List configured profiles (without passwords) | No |
ssh_connect |
Connect to an SSH profile | No |
ssh_disconnect |
Close the active SSH connection (closes all shell sessions) | Yes |
ssh_status |
Connection status (profile, host, uptime) | Yes |
ssh_exec |
Execute a remote command | Yes |
ssh_exec_interactive |
Execute interactive command with PTY and auto-response to prompts | Yes |
ssh_shell_start |
Start a persistent interactive shell session with PTY | Yes |
ssh_shell_send |
Send input to an active shell session | Yes |
ssh_shell_read |
Read accumulated output from a shell session buffer | Yes |
ssh_shell_close |
Close a shell session and release resources | Yes |
ssh_upload |
Upload a local file to the server (SFTP) | Yes |
ssh_download |
Download a file from the server (SFTP) | Yes |
ssh_ls |
List a remote directory (SFTP) | Yes |
ssh_read_file |
Read remote file contents | Yes |
ssh_write_file |
Write content to a remote file (SFTP) | Yes |
ssh_history |
View operation history for the active connection | Yes |
ssh_undo |
Revert a specific operation by record ID | Yes |
Tool Parameters
| Tool | Parameters | Required |
|---|---|---|
ssh_connect |
profile (string) |
Yes |
ssh_exec |
command (string), confirm (boolean) |
command |
ssh_exec_interactive |
command (string), responses[] ({prompt, answer, sensitive}), timeout (number), confirm (boolean) |
command |
ssh_shell_start |
cols (number, default: 80), rows (number, default: 24) |
No |
ssh_shell_send |
sessionId (string), input (string), raw (boolean), timeout (number), confirm (boolean) |
sessionId, input |
ssh_shell_read |
sessionId (string), timeout (number) |
sessionId |
ssh_shell_close |
sessionId (string) |
sessionId |
ssh_upload |
localPath (string), remotePath (string) |
Both |
ssh_download |
remotePath (string), localPath (string) |
Both |
ssh_ls |
path (string, default: home) |
No |
ssh_read_file |
path (string) |
Yes |
ssh_write_file |
path (string), content (string) |
Both |
ssh_history |
filter ("all" | "reversible" | "reversed"), limit (number) |
No |
ssh_undo |
recordId (number), confirm (boolean) |
recordId |
Operation History & Undo
Every operation executed during an active connection is recorded in memory. This allows reviewing what was done and reverting specific operations.
Reversibility by Operation
| Operation | Reversible | Undo Strategy |
|---|---|---|
ssh_write_file |
Yes | Restores previous content. If file didn't exist, deletes it |
ssh_upload |
Yes | Restores previous remote content. If file didn't exist, deletes it |
ssh_download |
Yes | Deletes the downloaded local file |
ssh_exec |
No | Recorded but not auto-reversible |
ssh_exec_interactive |
No | Recorded but not auto-reversible |
ssh_read_file |
N/A | Read-only, nothing to revert |
ssh_ls |
N/A | Read-only, nothing to revert |
ssh_shell_send |
N/A | Cannot revert input sent to an interactive shell |
The history is cleared on ssh_connect and ssh_disconnect.
Security
Destructive Command Detection
The following patterns are intercepted and require confirm: true to execute. This applies to ssh_exec, ssh_exec_interactive, and ssh_shell_send (when raw: false):
| Pattern | Reason |
|---|---|
rm -rf / |
Recursive rm on system root |
rm -r, rm -rf |
Mass file deletion |
mkfs.* |
Filesystem formatting |
dd if= |
Direct disk write |
reboot, shutdown, halt, poweroff |
Server state control |
init 0, init 6 |
Runlevel change |
chmod 777 / |
Insecure permissions on root |
chown -R |
Mass ownership change |
> /dev/* |
Direct device write |
:(){ :|:& };: |
Fork bomb |
systemctl stop|disable|mask |
System service shutdown |
killall |
Mass process termination |
iptables -F |
Firewall rules flush |
Audit Log
All operations are logged to audit.log with the format:
[timestamp] [profile] [tool] [parameters] [RESULT: ok|error]
Example:
[2026-03-04T10:30:00.000Z] [production] [ssh_exec] [ls -la /var/log] [RESULT: ok]
[2026-03-04T10:31:00.000Z] [production] [ssh_upload] [./app.tar.gz -> /tmp/app.tar.gz] [RESULT: ok]
Technical Details
- MCP Transport: stdio (JSON-RPC over stdin/stdout)
- SSH Connection: One active connection at a time. Attempting to connect to another profile without disconnecting raises an error.
- SFTP: Lazy initialization — created on first file operation use and reused thereafter.
- Interactive Exec: Uses
exec()withpty: truefor commands requiring interactive input. Supports auto-response to prompts via regex matching. Settle timeout (2s) detects command completion; global timeout (default 30s) prevents hangs. - Shell Sessions: Uses
shell()with PTY for persistent interactive terminals. Up to 5 concurrent sessions stored in aMap<string, ShellSession>. Auto-close after 5 minutes of inactivity. Buffer capped at 1MB. All sessions are closed onssh_disconnect. ANSI escape codes are stripped from output. - File Reading: Uses
ssh exec cat(not SFTP) for text files. - File Writing: Uses SFTP
createWriteStreamfor large file support. - Argument Escaping: Shell escaping with single quotes to prevent command injection.
- Audit Logging: Non-blocking — log write failures are silently ignored to avoid disrupting operations. Responses marked
sensitive: trueare logged as[REDACTED]. - Profile Cache:
profiles.jsonis read once and cached in memory. - Operation History: All operations are recorded in memory during the active connection. File operations (
ssh_write_file,ssh_upload) capture previous content before modifying, enabling undo. History is cleared on connect/disconnect.
License
This project is licensed under the MIT License.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.