Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Remote Ssh

БесплатноНе проверен

MCP server giving AI agents full SSH access with persistent sessions, structured command output, SFTP file transfer, and port forwarding.

GitHubEmbed

Описание

MCP server giving AI agents full SSH access with persistent sessions, structured command output, SFTP file transfer, and port forwarding.

README

PyPI Python License: MIT

MCP server giving AI agents full SSH access -- persistent sessions, structured command output, SFTP file transfer, port forwarding, and secret-safe environment variable injection with automatic output redaction.

Why this exists

Every other SSH MCP server is missing something: no password auth, no persistent sessions, no SFTP, no port forwarding, or no structured exit codes. This one has all of them -- plus the only MCP-level secret management that prevents AI agents from ever seeing your credentials.

Secret-Safe Environment Variables

The problem: When an AI agent needs to use API tokens, passwords, or keys on a remote server, the standard approach exposes secrets in the LLM's context window. The agent either reads the secret file (now it's in the conversation) or runs echo $TOKEN and sees the value in the output.

The solution: ssh_load_env_file reads secrets from a local file on your machine, injects them into the remote SSH session, and registers them for automatic output redaction. The AI agent can use the variables freely -- every tool response is scrubbed before it reaches the LLM.

# Agent calls this -- file is read from YOUR machine, not the remote host
ssh_load_env_file(session_id="abc", file_path="~/.secrets/prod.env")
→ "Loaded 3 variables from local:~/.secrets/prod.env: API_TOKEN, DB_PASS, SECRET_KEY"

# Agent tries to echo the value -- redacted automatically
ssh_execute(session_id="abc", command="echo $API_TOKEN")
→ {"stdout": "***\n", "exit_code": 0}

# Agent dumps the environment -- all secret values scrubbed
ssh_execute(session_id="abc", command="env | grep API_TOKEN")
→ {"stdout": "API_TOKEN=***\n", "exit_code": 0}

# Agent reads a file containing a secret -- also redacted
ssh_read_remote_file(session_id="abc", remote_path="/etc/app/config")
→ "db_password=***\ndb_host=localhost\n"

# Normal commands work perfectly -- no over-redaction
ssh_execute(session_id="abc", command="uname -a")
→ {"stdout": "Linux server 6.1.0 ...", "exit_code": 0}

How it works

┌─────────┐         ┌──────────────────────────────┐         ┌─────────────┐
│   LLM   │ ←─JSON─ │   MCP Server (your machine)  │ ──SSH─→ │ Remote Host │
│ (Agent) │         │                              │         │             │
└─────────┘         │  1. Reads ~/.secrets/prod.env│         └─────────────┘
                    │  2. Parses KEY=VALUE pairs   │
                    │  3. Stores values in memory  │
                    │  4. Injects into SSH session │
                    │  5. Redacts ALL tool output  │
                    └──────────────────────────────┘
  1. Local file read -- the env file lives on your machine, never on the remote host
  2. Shell injection via builtins -- uses read -r VAR <<< 'value' && export VAR (no process tree exposure)
  3. Stdin-based exec injection -- ssh_execute feeds secrets via stdin to a bash wrapper, so they never appear in /proc/*/cmdline
  4. Automatic redaction -- every tool response (ssh_execute, ssh_shell_send, ssh_shell_read, ssh_read_remote_file) is scrubbed before reaching the LLM
  5. Longest-first matching -- prevents partial-match corruption (e.g., abc123 is replaced before abc)

Security properties

Threat Mitigated? How
Secret in LLM context window Yes Output redaction replaces values with ***
Secret in remote process tree (shell) Yes Shell builtins (read/export) don't fork
Secret in remote process tree (exec) Yes Secrets fed via stdin, never in /proc/*/cmdline
LLM tries cat on the env file N/A File is local-only, doesn't exist on remote
LLM tries echo $VAR Yes Output is redacted
Encoded/transformed secret (base64) No Only literal matches are redacted
MITM on first SSH connection Accepted AutoAddPolicy used — see note below

Host key policy

This server uses Paramiko's AutoAddPolicy — unknown host keys are accepted without prompting. This is intentional for QE/lab environments where hosts are ephemeral (Beaker, cloud instances, CI machines). The trade-off:

  • Pro: Zero-friction connections to newly provisioned machines
  • Con: Vulnerable to MITM on the very first connection to an unknown host

If you operate on untrusted networks, consider wrapping connections through a VPN or SSH bastion with pre-distributed host keys. A host_key_policy parameter may be added in a future release for strict environments.

Env file format

Standard .env format:

# Comments are ignored
API_TOKEN=your-secret-token
DB_PASSWORD="quoted values work"
SECRET_KEY='single quotes too'
export ALSO_WORKS=yes

Installation

uvx mcp-remote-ssh        # or: pip install mcp-remote-ssh

Configuration

{
  "mcpServers": {
    "remote-ssh": {
      "command": "uvx",
      "args": ["mcp-remote-ssh"]
    }
  }
}

Tools (20)

Connection

Tool Description
ssh_connect Connect with password, key, or agent auth. Returns session_id
ssh_list_sessions List active sessions
ssh_close_session Close a session and release resources

Execution

Tool Description
ssh_execute Run a command, returns {stdout, stderr, exit_code}
ssh_sudo_execute Run with sudo elevation

Interactive Shell

Tool Description
ssh_shell_open Open persistent shell (preserves cwd, env, processes)
ssh_shell_send Send text (with optional Enter)
ssh_shell_read Read current output buffer
ssh_shell_send_control Send Ctrl+C, Ctrl+D, etc.
ssh_shell_wait Wait for a pattern or output to stabilize

Secrets Management

Tool Description
ssh_load_env_file Load secrets from a local env file; values never returned to the LLM
ssh_clear_secrets Clear redaction registry (values become visible again)

SFTP

Tool Description
ssh_upload_file Upload local file to remote host
ssh_download_file Download remote file to local machine
ssh_read_remote_file Read a remote text file
ssh_write_remote_file Write/append to a remote file
ssh_list_remote_dir List directory with metadata

Port Forwarding

Tool Description
ssh_forward_port Create SSH tunnel (local -> remote)
ssh_list_forwards List active tunnels
ssh_close_forward Close a tunnel

Quick start

ssh_connect(host="server.example.com", username="admin", password="secret")
→ {"session_id": "a1b2c3d4", "connected": true}

ssh_load_env_file(session_id="a1b2c3d4", file_path="~/.secrets/prod.env")
→ "Loaded 2 variables: API_TOKEN, DB_PASS"

ssh_execute(session_id="a1b2c3d4", command="curl -H \"Authorization: Bearer $API_TOKEN\" https://api.example.com")
→ {"stdout": "{\"status\": \"ok\"}", "exit_code": 0}  # token used but never visible

ssh_shell_open(session_id="a1b2c3d4")
ssh_shell_send(session_id="a1b2c3d4", data="cd /opt && make -j$(nproc)")
ssh_shell_wait(session_id="a1b2c3d4", pattern="$ ", timeout=600)

ssh_upload_file(session_id="a1b2c3d4", local_path="config.yaml", remote_path="/etc/app/config.yaml")
ssh_forward_port(session_id="a1b2c3d4", remote_port=5432, local_port=15432)

Design

Built on Paramiko (SSH) + FastMCP (MCP protocol).

  • ssh_execute uses exec_command() for clean structured output with real exit codes
  • When secrets are loaded, ssh_execute feeds exports via stdin to a bash wrapper, then execs the actual command -- secrets never appear in the process tree
  • ssh_shell_* uses invoke_shell() for persistent interactive sessions
  • All blocking Paramiko calls run in run_in_executor to stay async
  • Shell keeps a 500KB rolling buffer for shell_read polling
  • Secret redaction uses longest-first string replacement across all output paths

License

MIT

from github.com/faizbawa/mcp-remote-ssh

Установить Remote Ssh в Claude Desktop, Claude Code, Cursor

Рекомендуется · одна команда, все IDE
unyly install mcp-remote-ssh

Ставит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.

Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh

Или настроить вручную

Выполни в терминале:

claude mcp add mcp-remote-ssh -- uvx mcp-remote-ssh

FAQ

Remote Ssh MCP бесплатный?

Да, Remote Ssh MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Remote Ssh?

Нет, Remote Ssh работает без API-ключей и переменных окружения.

Remote Ssh — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить Remote Ssh в Claude Desktop, Claude Code или Cursor?

Открой Remote Ssh на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Remote Ssh with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории ai