s01-ssh-mcp
v0.3.1
Published
MCP Server for SSH remote server administration
Maintainers
d3v1anReadme
SSH MCP Server
MCP (Model Context Protocol) server for remote server administration via SSH. Supports multiple profiles, remote command execution, interactive commands (PTY), persistent shell sessions, file transfer (SFTP), destructive command detection with audit logging, and operation history with undo capabilities.
Architecture
General Overview
graph TB
Client["Claude Desktop<br/>(or any MCP client)"]
Server["SSH MCP Server"]
MCP["MCP SDK<br/>(stdio)"]
Router["Tool Router<br/>(index.ts)"]
Security["Security Module<br/>- Dangerous cmd detection<br/>- Audit logging"]
SSH["SSH Client (ssh2)"]
Exec["exec()<br/>- Commands<br/>- cat (read)"]
Interactive["exec() + PTY<br/>- Interactive commands<br/>- Auto prompt response"]
Shell["shell() + PTY<br/>- Persistent sessions<br/>- REPLs / multi-step"]
SFTP["SFTP (lazy init)<br/>- upload / download<br/>- ls / write / readdir"]
Remote["Remote Server<br/>(Linux/Unix)"]
Client -->|"stdio (JSON-RPC)"| Server
Server --- MCP
MCP --> Router
Router --> Security
Router --> SSH
SSH --- Exec
SSH --- Interactive
SSH --- Shell
SSH --- SFTP
SSH -->|"SSH (TCP :22)"| RemoteConnection and Execution Flow
flowchart TD
Start([Start]) --> ListProfiles["ssh_list_profiles<br/>View available profiles"]
ListProfiles --> Connect["ssh_connect<br/>(profile name)"]
Connect -->|Password not found| Error["Error: env var<br/>SSH_PASSWORD_NAME missing"]
Connect -->|OK| Active["Active Connection<br/>(1 profile at a time)"]
Active --> ExecBranch["ssh_exec<br/>(command)"]
Active --> InteractiveBranch["ssh_exec_interactive<br/>(command + auto-responses)"]
Active --> ShellBranch["Shell Sessions<br/>start / send / read / close"]
Active --> SFTPBranch["SFTP operations<br/>upload / download<br/>ls / read / write"]
Active --> StatusBranch["ssh_status<br/>ssh_disconnect"]
ExecBranch --> DangerCheck{"Dangerous<br/>command?<br/>(regex)"}
InteractiveBranch --> DangerCheck
DangerCheck -->|No| Execute["Execute command"]
DangerCheck -->|Yes| ConfirmCheck{"confirm:<br/>true?"}
ConfirmCheck -->|Yes| Execute
ConfirmCheck -->|No| Warning["WARNING<br/>(not executed)"]
ShellBranch -->|"send (raw:false)"| DangerCheck
ShellBranch -->|"send (raw:true)"| Execute
Execute --> Audit["audit.log"]
SFTPBranch --> Audit
Warning --> AuditSecurity Flow (Dangerous Commands)
flowchart LR
Input["Command received"] --> Check["isDangerousCommand()<br/>(16 regex patterns)"]
Check -->|Safe| Exec["Execute command"]
Check -->|Dangerous| Confirm{"confirm: true?"}
Confirm -->|Yes| Exec
Confirm -->|No| Warn["WARNING returned<br/>(command NOT executed)"]
Exec --> Log["audit.log"]
Warn --> Log
subgraph Detected Patterns
P1["rm -rf /"]
P2["mkfs.*"]
P3["dd if="]
P4["reboot / shutdown / halt"]
P5["chmod 777 / chown -R"]
P6["fork bomb"]
P7["systemctl stop/disable"]
P8["killall / iptables -F"]
endProject Structure
s01_ssh_mcp/
├── src/
│ ├── index.ts # SSHMCPServer class — tool router, SSH logic, interactive/shell handlers
│ ├── tools.ts # MCP tool definitions (17 tools, JSON schemas)
│ ├── profiles.ts # Profile loading + password injection from env
│ ├── security.ts # Dangerous command detection + AuditLogger
│ └── types.ts # Interfaces: SSHProfile, AuditEntry, PromptResponse, ShellSession, CommandRecord, ReverseInfo
├── dist/ # Compiled output (generated by tsc)
├── profiles.json # SSH server configuration
├── .env # Passwords (not versioned)
├── audit.log # Audit log (generated at runtime)
├── package.json
└── tsconfig.jsonSetup
1. Server Profiles
Edit profiles.json:
{
"production": {
"host": "192.168.1.100",
"port": 22,
"username": "deploy"
},
"staging": {
"host": "192.168.1.101",
"port": 22,
"username": "deploy"
}
}2. Passwords
Create .env (copy from .env.example):
SSH_PASSWORD_PRODUCTION=your_password
SSH_PASSWORD_STAGING=your_passwordFormat: SSH_PASSWORD_<PROFILE_NAME_UPPERCASE>.
3. Build and Run
npm install
npm run build
npm start4. MCP Configuration (Claude Desktop)
Add to your Claude Desktop config (claude_desktop_config.json):
{
"mcpServers": {
"ssh": {
"command": "node",
"args": ["/path/to/s01_ssh_mcp/dist/index.js"],
"env": {
"SSH_PASSWORD_PRODUCTION": "your_password",
"SSH_PASSWORD_STAGING": "your_password"
}
}
}
}Note: You can optionally set
SSH_PROFILES_PATHinenvto point to aprofiles.jsonin a different location.
Available Tools
| Tool | Description | Requires Connection |
| ---- | ----------- | :-----------------: |
| ssh_list_profiles | List configured profiles (without passwords) | No |
| ssh_connect | Connect to an SSH profile | No |
| ssh_disconnect | Close the active SSH connection (closes all shell sessions) | Yes |
| ssh_status | Connection status (profile, host, uptime) | Yes |
| ssh_exec | Execute a remote command | Yes |
| ssh_exec_interactive | Execute interactive command with PTY and auto-response to prompts | Yes |
| ssh_shell_start | Start a persistent interactive shell session with PTY | Yes |
| ssh_shell_send | Send input to an active shell session | Yes |
| ssh_shell_read | Read accumulated output from a shell session buffer | Yes |
| ssh_shell_close | Close a shell session and release resources | Yes |
| ssh_upload | Upload a local file to the server (SFTP) | Yes |
| ssh_download | Download a file from the server (SFTP) | Yes |
| ssh_ls | List a remote directory (SFTP) | Yes |
| ssh_read_file | Read remote file contents | Yes |
| ssh_write_file | Write content to a remote file (SFTP) | Yes |
| ssh_history | View operation history for the active connection | Yes |
| ssh_undo | Revert a specific operation by record ID | Yes |
Tool Parameters
| Tool | Parameters | Required |
| ---- | ---------- | :------: |
| ssh_connect | profile (string) | Yes |
| ssh_exec | command (string), confirm (boolean) | command |
| ssh_exec_interactive | command (string), responses[] ({prompt, answer, sensitive}), timeout (number), confirm (boolean) | command |
| ssh_shell_start | cols (number, default: 80), rows (number, default: 24) | No |
| ssh_shell_send | sessionId (string), input (string), raw (boolean), timeout (number), confirm (boolean) | sessionId, input |
| ssh_shell_read | sessionId (string), timeout (number) | sessionId |
| ssh_shell_close | sessionId (string) | sessionId |
| ssh_upload | localPath (string), remotePath (string) | Both |
| ssh_download | remotePath (string), localPath (string) | Both |
| ssh_ls | path (string, default: home) | No |
| ssh_read_file | path (string) | Yes |
| ssh_write_file | path (string), content (string) | Both |
| ssh_history | filter ("all" | "reversible" | "reversed"), limit (number) | No |
| ssh_undo | recordId (number), confirm (boolean) | recordId |
Operation History & Undo
Every operation executed during an active connection is recorded in memory. This allows reviewing what was done and reverting specific operations.
Reversibility by Operation
| Operation | Reversible | Undo Strategy |
|-----------|:----------:|---------------|
| ssh_write_file | Yes | Restores previous content. If file didn't exist, deletes it |
| ssh_upload | Yes | Restores previous remote content. If file didn't exist, deletes it |
| ssh_download | Yes | Deletes the downloaded local file |
| ssh_exec | No | Recorded but not auto-reversible |
| ssh_exec_interactive | No | Recorded but not auto-reversible |
| ssh_read_file | N/A | Read-only, nothing to revert |
| ssh_ls | N/A | Read-only, nothing to revert |
| ssh_shell_send | N/A | Cannot revert input sent to an interactive shell |
The history is cleared on ssh_connect and ssh_disconnect.
Security
Destructive Command Detection
The following patterns are intercepted and require confirm: true to execute. This applies to ssh_exec, ssh_exec_interactive, and ssh_shell_send (when raw: false):
| Pattern | Reason |
| ------- | ------ |
| rm -rf / | Recursive rm on system root |
| rm -r, rm -rf | Mass file deletion |
| mkfs.* | Filesystem formatting |
| dd if= | Direct disk write |
| reboot, shutdown, halt, poweroff | Server state control |
| init 0, init 6 | Runlevel change |
| chmod 777 / | Insecure permissions on root |
| chown -R | Mass ownership change |
| > /dev/* | Direct device write |
| :(){ :\|:& };: | Fork bomb |
| systemctl stop\|disable\|mask | System service shutdown |
| killall | Mass process termination |
| iptables -F | Firewall rules flush |
Audit Log
All operations are logged to audit.log with the format:
[timestamp] [profile] [tool] [parameters] [RESULT: ok|error]Example:
[2026-03-04T10:30:00.000Z] [production] [ssh_exec] [ls -la /var/log] [RESULT: ok]
[2026-03-04T10:31:00.000Z] [production] [ssh_upload] [./app.tar.gz -> /tmp/app.tar.gz] [RESULT: ok]Technical Details
- MCP Transport: stdio (JSON-RPC over stdin/stdout)
- SSH Connection: One active connection at a time. Attempting to connect to another profile without disconnecting raises an error.
- SFTP: Lazy initialization — created on first file operation use and reused thereafter.
- Interactive Exec: Uses
exec()withpty: truefor commands requiring interactive input. Supports auto-response to prompts via regex matching. Settle timeout (2s) detects command completion; global timeout (default 30s) prevents hangs. - Shell Sessions: Uses
shell()with PTY for persistent interactive terminals. Up to 5 concurrent sessions stored in aMap<string, ShellSession>. Auto-close after 5 minutes of inactivity. Buffer capped at 1MB. All sessions are closed onssh_disconnect. ANSI escape codes are stripped from output. - File Reading: Uses
ssh exec cat(not SFTP) for text files. - File Writing: Uses SFTP
createWriteStreamfor large file support. - Argument Escaping: Shell escaping with single quotes to prevent command injection.
- Audit Logging: Non-blocking — log write failures are silently ignored to avoid disrupting operations. Responses marked
sensitive: trueare logged as[REDACTED]. - Profile Cache:
profiles.jsonis read once and cached in memory. - Operation History: All operations are recorded in memory during the active connection. File operations (
ssh_write_file,ssh_upload) capture previous content before modifying, enabling undo. History is cleared on connect/disconnect.
License
This project is licensed under the MIT License.