Ssh Shell MCP
A Python MCP server providing 57+ SSH tools for remote shell operations, fleet orchestration, tunneling, and file management β built with AsyncSSH and FastMCP.
Ask AI about Ssh Shell MCP
Powered by Claude Β· Grounded in docs
I know everything about Ssh Shell MCP. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
ssh-shell-mcp
AI-native SSH orchestration for security engineers, DevSecOps, and sysadmins.
57+ MCP tools. Async. Audited. Built on AsyncSSH + FastMCP.
What it does
ssh-shell-mcp turns any SSH-accessible host into a fully agentic target. Connect Claude (or any MCP-compatible AI agent) to your infrastructure, then let the agent execute commands, triage incidents, orchestrate fleets, manage tunnels, and audit operations β all over SSH, with no credentials in prompts and a full audit trail.
βββββββββββββββ MCP (stdio/HTTP) ββββββββββββββββββββ
β Claude / β ββββββββββββββββββββββββββββΊ β ssh-shell-mcp β
β AI Agent β β (this server) β
βββββββββββββββ ββββββββββ¬ββββββββββ
β AsyncSSH
βββββββββββββΌββββββββββββ
web01 db01 jump01
Why ssh-shell-mcp?
| Feature | ssh-shell-mcp | Ansible | Fabric | Paramiko |
|---|---|---|---|---|
| AI agent / MCP native | β | β | β | β |
| Async connection pool | β | β | β | β |
| Built-in audit log | β | partial | β | β |
| Security policy gate | β | β | β | β |
| Persistent shell sessions | β | β | β | β |
| Live SOCKS5 / tunnel mgmt | β | β | β | β |
| Zero-dependency config | β | β | β | β |
| Fleet health checks | β | β | β | β |
Use Cases
π΅ Blue Team / Incident Response
- Ask Claude to
ssh_journalctlacross all production hosts for a suspicious PID, thenssh_killit - Run
ssh_health_check_fleetto instantly see which hosts went dark after an incident - Use
ssh_operation_history+ssh_audit_statsto reconstruct what an agent did during triage ssh_playbook_on_groupto push a hardenedsshd_configto the entirelinuxhost group
π΄ Red Team / Authorized Testing (own systems only)
ssh_socks_proxythrough a jump host for proxychains-style traffic routingssh_port_forwardto expose internal services for enumeration during authorized assessmentsssh_reverse_tunnelto create C2-style callbacks on lab environmentsssh_tmux_sendto drive interactive sessions from an AI agent
βοΈ DevSecOps / Fleet Automation
- Rolling deployments with
ssh_rollingβ zero-downtime, stop-on-failure - Push secrets via
ssh_run_with_envβ never in command strings ssh_syncconfig directories, thenssh_playbookto restart affected services- Group hosts by
tags(e.g.web,database,staging) and broadcast commands to each tier
Quickstart
git clone https://github.com/jaguar999paw-droid/ssh-shell-mcp.git
cd ssh-shell-mcp
python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt
cp config.example.json config.json # fill in your hosts
python server.py --transport stdio
Add to claude_desktop_config.json:
{
"mcpServers": {
"ssh-shell": {
"command": "/path/to/ssh-shell-mcp/.venv/bin/python",
"args": ["server.py", "--transport", "stdio"],
"env": {
"SSH_HOSTS_YAML": "/path/to/ssh-shell-mcp/config/hosts.yaml"
}
}
}
}
Tool Categories (57 tools)
| # | Category | Tools |
|---|---|---|
| 1 | Shell execution | ssh_run, ssh_run_batch, ssh_run_script, ssh_run_with_env, ssh_exec_retry |
| 2 | Persistent sessions | ssh_create_session, ssh_session_exec, ssh_session_read_buffer, ssh_close_session, ssh_session_list, ssh_session_set_env |
| 3 | File management | ssh_upload, ssh_download, ssh_ls, ssh_cat, ssh_write, ssh_rm, ssh_sync |
| 4 | Process management | ssh_ps, ssh_kill, ssh_start, ssh_background, ssh_monitor |
| 5 | System inspection | ssh_info, ssh_df, ssh_free, ssh_netstat, ssh_service, ssh_journalctl, ssh_docker |
| 6 | Fleet orchestration | ssh_parallel, ssh_rolling, ssh_group_exec, ssh_broadcast_batch, ssh_playbook, ssh_playbook_on_group |
| 7 | Tunnels & proxies | ssh_port_forward, ssh_reverse_tunnel, ssh_socks_proxy, ssh_close_tunnel, ssh_active_tunnels |
| 8 | Security controls | ssh_check_command, ssh_check_host_access, ssh_security_status |
| 9 | Host registry | ssh_register_host, ssh_list_hosts, ssh_remove_host, ssh_connection_status |
| 10 | Health & observability | ssh_ping_host, ssh_health_check_fleet, ssh_full_status, ssh_operation_history, ssh_audit_stats |
| 11 | tmux | ssh_tmux_new, ssh_tmux_send, ssh_tmux_list, ssh_tmux_kill |
Configuration
config/hosts.yaml β registers your SSH targets:
hosts:
web01:
host: 192.168.1.100
port: 22
user: deploy
key: ~/.ssh/id_ed25519
tags: [web, production]
db01:
host: 192.168.1.200
port: 22
user: deploy
key: ~/.ssh/id_ed25519
tags: [database, production]
config/policies.yaml β security policy (host allowlist + command blocklist):
policies:
host_allowlist: [] # empty = all registered hosts permitted
command_blocklist:
- "rm -rf /"
- "rm -rf /*"
- "mkfs*"
- ":(){:|:&};:" # fork bomb
Never commit
hosts.yamlβ it contains real credentials. It is already in.gitignore. Usehosts.example.yamlas a template.
Environment Variables
| Variable | Description | Default |
|---|---|---|
SSH_HOSTS_YAML | Path to hosts config | config/hosts.yaml |
SSH_POLICIES_YAML | Path to security policy config | config/policies.yaml |
SSH_MCP_LOG_DIR | Directory for audit logs | logs/ |
MCP_AUTH_TOKEN | Bearer token for HTTP transport | (none) |
Security Design
- Key-based auth only β password auth is intentionally unsupported.
- Policy gate on every tool β
_gate()checks host allowlist and command blocklist before any execution. - Full audit log β every operation is recorded with host, command, result, and timestamp.
- No outbound telemetry β the server connects only to your configured SSH targets.
- stdio default β no network port opened on the MCP host by default.
- Running targets behind a VPN (e.g. Tailscale) is strongly recommended.
See SECURITY.md for vulnerability reporting.
Running Tests
# Integration tests β requires SSH server on localhost
TEST_USER=$USER TEST_KEY_PATH=~/.ssh/id_ed25519 pytest tests/ -v
Tests cover: exec, file transfer, persistent sessions, fleet orchestration, and tunnels.
They use real SSH connections β no mocking.
HTTP Transport (remote agents)
MCP_AUTH_TOKEN=your-secret python server.py --transport streamable_http --port 8000
The server exposes /mcp with Bearer token authentication. Suitable for remote AI agents over a private network.
Project Structure
ssh-shell-mcp/
βββ server.py # MCP entrypoint β all 57 tools
βββ server/
β βββ connection_manager.py # AsyncSSH connection pool
β βββ session_manager.py # Persistent shell sessions
β βββ shell_engine.py # Core command execution
β βββ file_ops.py # SFTP file operations
β βββ process_manager.py # Process lifecycle
β βββ system_inspector.py # System info, logs, Docker
β βββ network_tools.py # Tunnel manager
β βββ orchestrator.py # Multi-host execution
β βββ audit.py # Audit log
β βββ security.py # Policy enforcement
βββ config.example.json
βββ requirements.txt
βββ Dockerfile
βββ docker-compose.yml
βββ SECURITY.md
For per-tool parameter documentation see docs/tools.md.
β οΈ Legal Notice
This tool provides programmatic SSH access to remote systems. Use only on systems you own or have explicit written authorization to access. Unauthorized access to computer systems is illegal in most jurisdictions.
π Cryptography Notice
This software uses the SSH protocol, which relies on cryptographic algorithms. Export, import, and use may be restricted in some jurisdictions. See the Wassenaar Arrangement for reference.