Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

faizbawa/mcp-remote-ssh

БесплатноНе проверен

Full SSH access for AI agents with secret-safe environment injection and automatic output redaction. Persistent sessions, structured execution, SFTP, port forwa

GitHubEmbed

Описание

Full SSH access for AI agents with secret-safe environment injection and automatic output redaction. Persistent sessions, structured execution, SFTP, port forwarding — secrets are fed via stdin (invisible to ps) and scrubbed from all tool responses before reaching the LLM. uvx mcp-remote-ssh

README

PyPI Python License: MIT

MCP server giving AI agents full SSH access -- persistent sessions, structured command output, SFTP file transfer, port forwarding, and secret-safe environment variable injection with automatic output redaction.

Why this exists

Every other SSH MCP server is missing something: no password auth, no persistent sessions, no SFTP, no port forwarding, or no structured exit codes. This one has all of them -- plus the only MCP-level secret management that prevents AI agents from ever seeing your credentials.

Secret-Safe Environment Variables

The problem: When an AI agent needs to use API tokens, passwords, or keys on a remote server, the standard approach exposes secrets in the LLM's context window. The agent either reads the secret file (now it's in the conversation) or runs echo $TOKEN and sees the value in the output.

The solution: ssh_load_env_file reads secrets from a local file on your machine, injects them into the remote SSH session, and registers them for automatic output redaction. The AI agent can use the variables freely -- every tool response is scrubbed before it reaches the LLM.

# Agent calls this -- file is read from YOUR machine, not the remote host
ssh_load_env_file(session_id="abc", file_path="~/.secrets/prod.env")
→ "Loaded 3 variables from local:~/.secrets/prod.env: API_TOKEN, DB_PASS, SECRET_KEY"

# Agent tries to echo the value -- redacted automatically
ssh_execute(session_id="abc", command="echo $API_TOKEN")
→ {"stdout": "***\n", "exit_code": 0}

# Agent dumps the environment -- all secret values scrubbed
ssh_execute(session_id="abc", command="env | grep API_TOKEN")
→ {"stdout": "API_TOKEN=***\n", "exit_code": 0}

# Agent reads a file containing a secret -- also redacted
ssh_read_remote_file(session_id="abc", remote_path="/etc/app/config")
→ "db_password=***\ndb_host=localhost\n"

# Normal commands work perfectly -- no over-redaction
ssh_execute(session_id="abc", command="uname -a")
→ {"stdout": "Linux server 6.1.0 ...", "exit_code": 0}

How it works

┌─────────┐         ┌──────────────────────────────┐         ┌─────────────┐
│   LLM   │ ←─JSON─ │   MCP Server (your machine)  │ ──SSH─→ │ Remote Host │
│ (Agent) │         │                              │         │             │
└─────────┘         │  1. Reads ~/.secrets/prod.env│         └─────────────┘
                    │  2. Parses KEY=VALUE pairs   │
                    │  3. Stores values in memory  │
                    │  4. Injects into SSH session │
                    │  5. Redacts ALL tool output  │
                    └──────────────────────────────┘
  1. Local file read -- the env file lives on your machine, never on the remote host
  2. Shell injection via builtins -- uses read -r VAR <<< 'value' && export VAR (no process tree exposure)
  3. Stdin-based exec injection -- ssh_execute feeds secrets via stdin to a bash wrapper, so they never appear in /proc/*/cmdline
  4. Automatic redaction -- every tool response (ssh_execute, ssh_shell_send, ssh_shell_read, ssh_read_remote_file) is scrubbed before reaching the LLM
  5. Longest-first matching -- prevents partial-match corruption (e.g., abc123 is replaced before abc)

Security properties

Threat Mitigated? How
Secret in LLM context window Yes Output redaction replaces values with ***
Secret in remote process tree (shell) Yes Shell builtins (read/export) don't fork
Secret in remote process tree (exec) Yes Secrets fed via stdin, never in /proc/*/cmdline
LLM tries cat on the env file N/A File is local-only, doesn't exist on remote
LLM tries echo $VAR Yes Output is redacted
Encoded/transformed secret (base64) No Only literal matches are redacted
MITM on first SSH connection Accepted AutoAddPolicy used — see note below

Host key policy

This server uses Paramiko's AutoAddPolicy — unknown host keys are accepted without prompting. This is intentional for QE/lab environments where hosts are ephemeral (Beaker, cloud instances, CI machines). The trade-off:

  • Pro: Zero-friction connections to newly provisioned machines
  • Con: Vulnerable to MITM on the very first connection to an unknown host

If you operate on untrusted networks, consider wrapping connections through a VPN or SSH bastion with pre-distributed host keys. A host_key_policy parameter may be added in a future release for strict environments.

Env file format

Standard .env format:

# Comments are ignored
API_TOKEN=your-secret-token
DB_PASSWORD="quoted values work"
SECRET_KEY='single quotes too'
export ALSO_WORKS=yes

Installation

uvx mcp-remote-ssh        # or: pip install mcp-remote-ssh

Configuration

{
  "mcpServers": {
    "remote-ssh": {
      "command": "uvx",
      "args": ["mcp-remote-ssh"]
    }
  }
}

Tools (20)

Connection

Tool Description
ssh_connect Connect with password, key, or agent auth. Returns session_id
ssh_list_sessions List active sessions
ssh_close_session Close a session and release resources

Execution

Tool Description
ssh_execute Run a command, returns {stdout, stderr, exit_code}
ssh_sudo_execute Run with sudo elevation

Interactive Shell

Tool Description
ssh_shell_open Open persistent shell (preserves cwd, env, processes)
ssh_shell_send Send text (with optional Enter)
ssh_shell_read Read current output buffer
ssh_shell_send_control Send Ctrl+C, Ctrl+D, etc.
ssh_shell_wait Wait for a pattern or output to stabilize

Secrets Management

Tool Description
ssh_load_env_file Load secrets from a local env file; values never returned to the LLM
ssh_clear_secrets Clear redaction registry (values become visible again)

SFTP

Tool Description
ssh_upload_file Upload local file to remote host
ssh_download_file Download remote file to local machine
ssh_read_remote_file Read a remote text file
ssh_write_remote_file Write/append to a remote file
ssh_list_remote_dir List directory with metadata

Port Forwarding

Tool Description
ssh_forward_port Create SSH tunnel (local -> remote)
ssh_list_forwards List active tunnels
ssh_close_forward Close a tunnel

Quick start

ssh_connect(host="server.example.com", username="admin", password="secret")
→ {"session_id": "a1b2c3d4", "connected": true}

ssh_load_env_file(session_id="a1b2c3d4", file_path="~/.secrets/prod.env")
→ "Loaded 2 variables: API_TOKEN, DB_PASS"

ssh_execute(session_id="a1b2c3d4", command="curl -H \"Authorization: Bearer $API_TOKEN\" https://api.example.com")
→ {"stdout": "{\"status\": \"ok\"}", "exit_code": 0}  # token used but never visible

ssh_shell_open(session_id="a1b2c3d4")
ssh_shell_send(session_id="a1b2c3d4", data="cd /opt && make -j$(nproc)")
ssh_shell_wait(session_id="a1b2c3d4", pattern="$ ", timeout=600)

ssh_upload_file(session_id="a1b2c3d4", local_path="config.yaml", remote_path="/etc/app/config.yaml")
ssh_forward_port(session_id="a1b2c3d4", remote_port=5432, local_port=15432)

Design

Built on Paramiko (SSH) + FastMCP (MCP protocol).

  • ssh_execute uses exec_command() for clean structured output with real exit codes
  • When secrets are loaded, ssh_execute feeds exports via stdin to a bash wrapper, then execs the actual command -- secrets never appear in the process tree
  • ssh_shell_* uses invoke_shell() for persistent interactive sessions
  • All blocking Paramiko calls run in run_in_executor to stay async
  • Shell keeps a 500KB rolling buffer for shell_read polling
  • Secret redaction uses longest-first string replacement across all output paths

License

MIT

from github.com/faizbawa/mcp-remote-ssh

Установка faizbawa/mcp-remote-ssh

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/faizbawa/mcp-remote-ssh

FAQ

faizbawa/mcp-remote-ssh MCP бесплатный?

Да, faizbawa/mcp-remote-ssh MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для faizbawa/mcp-remote-ssh?

Нет, faizbawa/mcp-remote-ssh работает без API-ключей и переменных окружения.

faizbawa/mcp-remote-ssh — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить faizbawa/mcp-remote-ssh в Claude Desktop, Claude Code или Cursor?

Открой faizbawa/mcp-remote-ssh на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare faizbawa/mcp-remote-ssh with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории ai