TypeScript MCP server for controlled SSH operations, remote host workflows, command execution guardrails, and infrastructure automation.
MCP ServersOfficial Registry0 stars0 forks● TypeScriptMITUpdated today
Install in Claude Code / Claude Desktop
Method: NPX · ssh-mcp-pro
Claude Code CLI
claude mcp add ssh-mcp-pro -- npx -y ssh-mcp-proclaude_desktop_config.json (Claude Desktop)
{
"mcpServers": {
"ssh-mcp-pro": {
"command": "npx",
"args": ["-y", "ssh-mcp-pro"]
}
}
}1. Run the command above in your terminal (Claude Code), or paste the JSON config into claude_desktop_config.json (Claude Desktop).
2. Replace any <placeholder> values with your API keys or paths.
3. Restart Claude. The MCP server and its tools appear automatically.
About
MCP Servers overview
[](https://www.npmjs.com/package/ssh-mcp-pro)
[](LICENSE)
[](https://github.com/oaslananka/ssh-mcp-pro/actions/workflows/ci.yml)
[](https://oaslananka.github.io/ssh-mcp-pro/)
[](https://securityscorecards.dev/viewer/?uri=github.com/oaslananka/ssh-mcp-pro)
# ssh-mcp-pro
ssh-mcp-pro is a secure Model Context Protocol (MCP) server for SSH automation. It lets MCP-capable clients open SSH sessions, inspect hosts, run guarded commands, manage files, transfer artifacts, create tunnels, and perform idempotent package or service work through policy-controlled tools.
## Prerequisites
- Node.js `>=22.22.2` or `>=24.15.0` or `>=26.3.0`
- pnpm `>=11.0.9`
- SSH access to the target hosts
- Docker, only for local integration tests and container image builds
## Installation
Install globally with pnpm:
```bash
pnpm add --global ssh-mcp-pro
ssh-mcp-pro --version
```
Run without a global install:
```bash
npx ssh-mcp-pro
```
For pnpm-only environments, use:
```bash
pnpm dlx ssh-mcp-pro
```
Container images are published to GitHub Container Registry for release tags:
```bash
docker run --rm ghcr.io/oaslananka/ssh-mcp-pro:1.0.0 --version
```
Images are published for `linux/amd64` and `linux/arm64` with exact semver and
Git tag aliases. Production deployments should prefer the digest-pinned
reference recorded by the release workflow. See [Docker Usage](docs/docker.md)
for the tag policy, digest-pinned examples, and registry verification steps.
## Quickstart
Generic stdio MCP config:
```json
{
"name": "ssh-mcp-pro",
"command": "ssh-mcp-pro",
"type": "stdio"
}
```
VS Code settings style:
```json
{
"mcp.servers": {
"ssh-mcp-pro": {
"type": "stdio",
"command": "ssh-mcp-pro",
"args": []
}
}
}
```
Claude Desktop style:
```json
{
"mcpServers": {
"ssh-mcp-pro": {
"command": "ssh-mcp-pro",
"args": []
}
}
}
```
After registration, start with discovery and a strict host-key policy:
```text
List configured SSH hosts, open a session to bastion.example.com as deploy with hostKeyPolicy=strict, then run os_detect.
```
## Usage
Use ssh-mcp-pro from an MCP client over stdio, or run the HTTP transport for
remote-safe connector profiles. Start with read-only discovery tools, inspect
the active policy, and create explicit sessions before running remote commands:
```text
List configured SSH hosts, explain the active SSH policy, connect to the selected host, then report its operating system and disk usage.
```
See [examples/README.md](examples/README.md) for additional workflows and
[INSTALL.md](INSTALL.md) for client-specific setup.
## Configuration
All `SSH_MCP_*` environment variables parsed by `src/config.ts` are listed below. Comma-separated settings also accept newline-separated values.
| Variable | Default | Purpose |
| --- | --- | --- |
| `SSH_MCP_MAX_SESSIONS` | `20` | Maximum concurrent SSH sessions. |
| `SSH_MCP_SESSION_TTL` | `900000` | Session time-to-live in milliseconds. |
| `SSH_MCP_COMMAND_TIMEOUT` | `30000` | Default remote command timeout in milliseconds. |
| `SSH_MCP_MAX_COMMAND_OUTPUT_BYTES` | `1048576` | Maximum buffered stdout/stderr bytes per command result. |
| `SSH_MCP_MAX_STREAM_CHUNKS` | `4096` | Maximum retained streaming chunks. |
| `SSH_MCP_MAX_FILE_SIZE` | `10485760` | Maximum bytes returned by text-focused file reads. |
| `SSH_MCP_MAX_FILE_WRITE_BYTES` | `10485760` | Maximum accepted write payload before buffering. |
| `SSH_MCP_MAX_TRANSFER_BYTES` | `52428800` | Maximum upload or download transfer size. |
| `SSH_MCP_DEBUG` | `false` | Enables debug-oriented configuration behavior. |
| `SSH_MCP_RATE_LIMIT` | `true` | Enables the global MCP request rate limiter. |
| `SSH_MCP_RATE_LIMIT_MAX` | `100` | Maximum requests per rate-limit window. |
| `SSH_MCP_RATE_LIMIT_PER_SESSION` | `true` | Enables per-session MCP request rate limiting when tool arguments include `sessionId`. |
| `SSH_MCP_RATE_LIMIT_PER_SESSION_MAX` | `50` | Maximum requests per SSH session per rate-limit window. |
| `SSH_MCP_RATE_LIMIT_PER_SESSION_WINDOW_MS` | `60000` | Per-session rate-limit window in milliseconds. |
| `SSH_MCP_RATE_LIMIT_WINDOW_MS` | `60000` | Rate-limit window in milliseconds. |
| `SSH_MCP_STRICT_HOST_KEY` | unset | Legacy boolean alias for strict vs insecure host-key checking. |
| `SSH_MCP_HOST_KEY_POLICY` | `strict` | Host-key mode: `strict`, `accept-new`, or `insecure`. |
| `SSH_MCP_KNOWN_HOSTS_PATH` | `~/.ssh/known_hosts` | Known hosts file used for strict host-key verification. |
| `SSH_MCP_ALLOW_ROOT_LOGIN` | `false` | Allows SSH login as root and mirrors into policy. |
| `SSH_MCP_ALLOWED_CIPHERS` | empty | Optional SSH cipher allowlist. |
| `SSH_MCP_POLICY_FILE` | unset | JSON file containing partial policy overrides. |
| `SSH_MCP_POLICY_MODE` | `enforce` | Policy decision mode: `enforce` or `explain`. |
| `SSH_MCP_ALLOW_RAW_SUDO` | `false` | Allows raw `proc_sudo`; prefer `ensure_*` tools. |
| `SSH_MCP_ALLOW_DESTRUCTIVE_COMMANDS` | `false` | Allows commands matching destructive command policy. |
| `SSH_MCP_ALLOW_DESTRUCTIVE_FS` | `false` | Allows destructive filesystem operations such as `fs_rmrf`. |
| `SSH_MCP_ALLOWED_HOSTS` | empty | Host allowlist for policy and remote connector safety checks. |
| `SSH_MCP_COMMAND_ALLOW` | empty | Command allow patterns. |
| `SSH_MCP_COMMAND_DENY` | empty | Command deny patterns. |
| `SSH_MCP_PATH_ALLOW_PREFIXES` | `/tmp,/var/tmp,/home,/Users` | Remote path prefixes allowed by filesystem policy. |
| `SSH_MCP_PATH_DENY_PREFIXES` | `/etc/sudoers,/etc/shadow,/etc/passwd,/boot,/dev,/proc` | Remote path prefixes denied by filesystem policy. |
| `SSH_MCP_LOCAL_PATH_ALLOW_PREFIXES` | OS temp directory | Local paths allowed for transfer operations. |
| `SSH_MCP_LOCAL_PATH_DENY_PREFIXES` | empty | Local paths denied for transfer operations. |
| `SSH_MCP_TUNNEL_ALLOW_BIND_HOSTS` | `127.0.0.1,localhost,::1` | Local bind hosts allowed for tunnels. |
| `SSH_MCP_TUNNEL_DENY_BIND_HOSTS` | `0.0.0.0,::` | Local bind hosts denied for tunnels. |
| `SSH_MCP_TUNNEL_ALLOW_REMOTE_HOSTS` | empty | Optional remote tunnel target host allowlist. |
| `SSH_MCP_TUNNEL_DENY_REMOTE_HOSTS` | empty | Optional remote tunnel target host denylist. |
| `SSH_MCP_TUNNEL_ALLOW_PORTS` | empty | Optional tunnel port allowlist. |
| `SSH_MCP_TUNNEL_DENY_PORTS` | empty | Optional tunnel port denylist. |
| `SSH_MCP_HTTP_HOST` | `127.0.0.1` | Streamable HTTP bind host. |
| `SSH_MCP_HTTP_PORT` | `3000` | Streamable HTTP bind port. |
| `SSH_MCP_HTTP_ALLOWED_ORIGINS` | `http://127.0.0.1,http://localhost` | Browser origins allowed for HTTP clients. |
| `SSH_MCP_HTTP_BEARER_TOKEN_FILE` | unset | Bearer token file for HTTP transport. Required for non-loopback bearer deployments. |
| `SSH_MCP_ENABLE_LEGACY_SSE` | `false` | Enables legacy SSE compatibility. |
| `SSH_MCP_HTTP_MAX_REQUEST_BODY_BYTES` | `1048576` | Maximum HTTP request body size. |
| `SSH_MCP_HTTP_MAX_SESSIONS` | `20` | Maximum HTTP MCP sessions. |
| `SSH_MCP_HTTP_SESSION_IDLE_TTL_MS` | `900000` | HTTP MCP session idle timeout in milliseconds. |
| `SSH_MCP_HTTP_PUBLIC_URL` | unset | Stable public HTTPS MCP URL for protected resource metadata. |
| `SSH_MCP_HTTP_TRUST_PROXY` | `false` | Trust reverse proxy forwarded headers. |
| `SSH_MCP_TOOL_PROFILE` | `full` | Active tool exposure profile. |
| `SSH_MCP_CONNECTOR_PROFILE` | `full` | Alias for `SSH_MCP_TOOL_PROFILE`. |
| `SSH_MCP_CONNECTOR_CREDENTIAL_PROVIDER` | `none` | Credential provider: `none`, `agent`, or `command`. |
| `SSH_MCP_CONNECTOR_CREDENTIAL_COMMAND` | unset | External credential command when provider is `command`. |
| `SSH_MCP_CONNECTOR_CREDENTIAL_COMMAND_ARGS` | empty | Arguments passed to the external credential command. |
| `SSH_MCP_CONNECTOR_CREDENTIAL_COMMAND_TIMEOUT_MS` | `5000` | Credential command timeout in milliseconds. |
| `SSH_MCP_CONNECTOR_DEFAULT_USERNAME` | unset | Default username for connector broker flows. |
| `SSH_MCP_HTTP_AUTH_MODE` | `bearer` | HTTP auth mode: `bearer` or `oauth`. |
| `SSH_MCP_OAUTH_ISSUER` | unset | Expected OAuth issuer. |
| `SSH_MCP_OAUTH_AUDIENCE` | unset | Expected OAuth audience. |
| `SSH_MCP_OAUTH_JWKS_URL` | unset | OAuth JWKS URL. |
| `SSH_MCP_OAUTH_RESOURCE` | unset | OAuth protected resource identifier. |
| `SSH_MCP_OAUTH_REQUIRED_SCOPES` | `ssh-mcp-pro.read` | Required OAuth scopes. |
The parser also accepts non-`SSH_MCP_*` compatibility aliases `PORT`, `KNOWN_HOSTS_PATH`, and `STRICT_HOST_KEY_CHECKING`.
## Tool Profiles
`full` exposes every registered tool, resource, and prompt. Every other profile uses an explicit per-profile allowset. `chatgpt` and `claude` currently expose the same baseline connector tools as `remote-safe`, with empty client-specific extension sets reserved for future additions.
| Profile | Exposed tools | Exposed resources | Exposed prompts |
| --- | --- | --- | --- |
| `full` | All SSH, process, filesystem, transfer, ensure, tunnel, connector, and system tools. | All runtime resources. | All prompts. |
| `remote-safe` | `connector_status`, `ssh_hosts_list`, `ssh_policy_explain`, `ssh_host_inspect`, `ssh_mutation_plan`. | `ssh-mcp-pro://capabilities/support-matrix`. | `inspect-host-capabilities`, `plan-mutation`. |
| `chatgpt` | Baseline remote connector tools plus an empty ChatGPT extension set. | Same remote connector subset as `remote-safe`. | Same remote connector subset as `remote-safe`. |
| `claude` | Baseline remote connector tools plus an empty Claude extension set. | Same remote connector subset as `remote-safe`. | Same remote connector subset as `remote-safe`.Topics
automationdevopsinfrastructurelinuxmcpmodel-context-protocolnodejsoperationsremote-automationsecuritysshterminaltypescript
Frequently asked
What people ask about ssh-mcp-pro
What is oaslananka/ssh-mcp-pro?
+
oaslananka/ssh-mcp-pro is mcp servers for the Claude AI ecosystem. TypeScript MCP server for controlled SSH operations, remote host workflows, command execution guardrails, and infrastructure automation. It has 0 GitHub stars and was last updated today.
How do I install ssh-mcp-pro?
+
You can install ssh-mcp-pro by cloning the repository (https://github.com/oaslananka/ssh-mcp-pro) or following the README instructions on GitHub. ClaudeWave also provides quick install blocks on this page.
Is oaslananka/ssh-mcp-pro safe to use?
+
oaslananka/ssh-mcp-pro has not been audited yet by our security agent. Review the original repository on GitHub before using it in production.
Who maintains oaslananka/ssh-mcp-pro?
+
oaslananka/ssh-mcp-pro is maintained by oaslananka. The last recorded GitHub activity is from today, with 11 open issues.
Are there alternatives to ssh-mcp-pro?
+
Yes. On ClaudeWave you can browse similar mcp servers at /categories/mcp, sorted by popularity or recent activity.
1-click deploy
Deploy ssh-mcp-pro to your cloud
Ship this repo to production in minutes. Each platform spins up its own environment with editable env vars.
Embeddable badge
Maintain this repo? Add a badge to your README
Drop the badge into your GitHub README to show it's tracked on ClaudeWave. Each badge links back to this page and reflects the live Trust Score.
[](https://claudewave.com/repo/oaslananka-ssh-mcp-pro)<a href="https://claudewave.com/repo/oaslananka-ssh-mcp-pro"><img src="https://claudewave.com/api/badge/oaslananka-ssh-mcp-pro" alt="Featured on ClaudeWave: oaslananka/ssh-mcp-pro" width="320" height="64" /></a>Related
More MCP Servers
n8n-io
n8n
today
Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.
192.8k58.6kTypeScript
MCP ServersaiapisInstall
open-webui
open-webui
today
User-friendly AI Interface (Supports Ollama, OpenAI API, ...)
141.9k20.4kPython
MCP ServersaillmInstall
google-gemini
gemini-cli
today
An open-source AI agent that brings the power of Gemini directly into your terminal.
105.3k14.1kTypeScript
MCP Serversaiai-agentsInstall
netdata
netdata
today
The fastest path to AI-powered full stack observability, even for lean teams.
79.2k6.5kC
MCP ServersaialertingInstall
D4Vinci
Scrapling
9d ago
🕷️ An adaptive Web Scraping framework that handles everything from a single request to a full-scale crawl!
64.4k6.3kPython
MCP Serversaiai-scrapingInstall
sansan0
TrendRadar
4d ago
⭐AI-driven public opinion & trend monitor with multi-platform aggregation, RSS, and smart alerts.🎯 告别信息过载,你的 AI 舆情监控助手与热点筛选工具!聚合多平台热点 + RSS 订阅,支持关键词精准筛选。AI 智能筛选新闻 + AI 翻译 + AI 分析简报直推手机,也支持接入 MCP 架构,赋能 AI 自然语言对话分析、情感洞察与趋势预测等。支持 Docker ,数据本地/云端自持。集成微信/飞书/钉钉/Telegram/邮件/ntfy/bark/slack 等渠道智能推送。
59.5k24.7kPython
MCP ServersaibarkInstall