Jumpserver Gui Sucks
БесплатноНе проверенA JumpServer 443-only MCP bridge for coding agents that exposes a CLI-first, MFA-compatible, audit-preserving path into JumpServer assets without GUI or port 22
Описание
A JumpServer 443-only MCP bridge for coding agents that exposes a CLI-first, MFA-compatible, audit-preserving path into JumpServer assets without GUI or port 2222 dependencies.
README
CAUTION: Operate production machines with extreme care. This MCP assumes no responsibility for production incidents caused by unsafe or incompetent model behavior.
A JumpServer 443-only MCP bridge for coding agents such as Codex and Claude. The project exposes a CLI-first, MFA-compatible, audit-preserving path into JumpServer assets without depending on port 2222 or any GUI-driven workflow in normal use.
Current Status
The main CLI and MCP chain is working against a real JumpServer instance:
- CLI-first login with terminal-entered MFA
- persisted durable
access_keyauth for REST discovery - persisted authenticated web-session cookies for KoKo terminal flows
- asset, node, connect-method, and asset-access discovery
- KoKo 443 WebSocket probing
- one-shot remote command execution through KoKo
- managed multi-turn terminal sessions for MCP-driven shell interaction
- managed shell reuse for repeated command execution against the same asset/account target
- non-blocking buffered terminal output reads for managed sessions
- explicit managed-session command interruption with
Ctrl-C - process-local terminal idle reaping and session-cap enforcement
- explicit cookie-session refresh probing before terminal work
- a line-oriented CLI shell for non-MCP interactive terminal use
The current implementation is usable, but it is not feature-complete yet. The most important known limitation is:
- terminal access still depends on a valid cookie-backed web session, so a fully expired terminal session still requires a fresh
loginrun with MFA
Terminal-oriented entry points now accept either the concrete JumpServer account ID/alias required by the API or a user-facing account reference such as root, test-root, or the account username. The MCP resolves that reference to the concrete per-asset account ID before opening terminal sessions or creating connection tokens.
The project does not currently aim to provide file-manager or SFTP coverage.
Tracked Project Docs
- docs/live-instance-recon.md
- docs/web-terminal-flow.md
- docs/auth-state-format.md
- docs/cli-login-flow.md
Upstream Reference Repositories
The repository keeps several untracked upstream JumpServer codebases under extern/ for protocol and behavior reference only. They are not runtime dependencies of this package.
extern/jumpserver: backend API, authentication, and permission-model referenceextern/koko: KoKo terminal gateway and WebSocket behavior referenceextern/luna: legacy web-terminal frontend flow reference, especially around browser-driven terminal bootstrap behaviorextern/lina: newer web UI and API usage-pattern referenceextern/client: official client-side implementation reference for adjacent access workflows
Authentication Model
The runtime intentionally uses two auth layers:
access_keyfor durable REST access- authenticated web-session cookies for KoKo terminal access
Do not put live session secrets, cookies, or MFA values into MCP client config files. The intended flow is:
- Run the CLI login command once.
- Complete MFA in the terminal.
- Let the tool persist auth state into the user-scoped application state directory.
- Start the MCP server from Codex or Claude.
When the live JumpServer deployment enables a login captcha challenge, the CLI login command saves the captcha image under /private/tmp/ and opens it with the system image viewer before prompting for the captcha value in the terminal.
By default, persisted auth state lives under the platform-specific user application state directory:
- macOS example:
~/Library/Application Support/mcp-jumpserver-gui-sucks/auth-state.json
Advanced users can override the location with:
MCP_JUMPSERVER_GUI_SUCKS_STATE_DIRMCP_JUMPSERVER_GUI_SUCKS_STATE_FILE
Install
Use the published package directly:
uvx mcp-jumpserver-gui-sucks --help
Login Before Starting MCP
uvx mcp-jumpserver-gui-sucks login \
--base-url https://jumpserver.example.com \
--username alice
Useful verification commands:
uvx mcp-jumpserver-gui-sucks doctor
uvx mcp-jumpserver-gui-sucks refresh-session --force
The login command persists state outside the repository. MCP client config should only describe how to find that state, not embed the secrets themselves.
MCP Configuration
The MCP server entrypoint is:
uvx mcp-jumpserver-gui-sucks serve
serve defaults to stdio, which is the correct transport for Codex and Claude desktop-style MCP clients.
Recommended Agent Terminal Workflow
When a coding agent plans to work on one machine for more than one command, the recommended workflow is:
- Call
jms_terminal_usage_guide. - Call
jms_acquire_terminal_sessionwithasset_refandaccount_ref. - Use
jms_run_terminal_commandfor short command-style work. - Use
jms_send_terminal_inputplusjms_read_terminal_outputfor shell-style interaction. - Call
jms_interrupt_terminal_sessionwhen a command needs to be stopped. - Call
jms_close_terminal_sessionwhen the task is complete.
This keeps one KoKo shell open per target and avoids leaving many short-lived web-shell records behind in JumpServer.
Codex (~/.codex/config.toml)
This matches the mcp_servers.* structure already used in your local ~/.codex/config.toml:
[mcp_servers.mcp-jumpserver-gui-sucks]
command = "uvx"
args = ["mcp-jumpserver-gui-sucks", "serve"]
startup_timeout_sec = 60.0
tool_timeout_sec = 600.0
[mcp_servers.mcp-jumpserver-gui-sucks.env]
MCP_JUMPSERVER_GUI_SUCKS_BASE_URL = "https://jumpserver.example.com"
MCP_JUMPSERVER_GUI_SUCKS_VERIFY_TLS = "true"
MCP_JUMPSERVER_GUI_SUCKS_TERMINAL_IDLE_TIMEOUT_SECONDS = "3600"
MCP_JUMPSERVER_GUI_SUCKS_TERMINAL_REAP_INTERVAL_SECONDS = "30"
MCP_JUMPSERVER_GUI_SUCKS_MAX_TERMINAL_SESSIONS = "8"
# Optional when the default state directory is not desired.
# MCP_JUMPSERVER_GUI_SUCKS_STATE_DIR = "/Users/alice/Library/Application Support/mcp-jumpserver-gui-sucks"
# MCP_JUMPSERVER_GUI_SUCKS_STATE_FILE = "/Users/alice/Library/Application Support/mcp-jumpserver-gui-sucks/auth-state.json"
# MCP_JUMPSERVER_GUI_SUCKS_ORG_ID = "00000000-0000-0000-0000-000000000002"
tool_timeout_sec is a Codex-side MCP client setting. If it is omitted, Codex falls back to its own default per-tool timeout. Increase it when the agent may need to keep a single jms_* call open for longer-running terminal work. For terminal commands, pair it with a larger total_timeout_seconds on the specific jms_run_terminal_command or jms_execute_in_terminal_session call when needed.
Claude (~/.claude.json)
This matches the mcpServers JSON shape already present in your local ~/.claude.json:
{
"mcpServers": {
"mcp-jumpserver-gui-sucks": {
"command": "uvx",
"args": ["mcp-jumpserver-gui-sucks", "serve"],
"env": {
"MCP_JUMPSERVER_GUI_SUCKS_BASE_URL": "https://jumpserver.example.com",
"MCP_JUMPSERVER_GUI_SUCKS_VERIFY_TLS": "true",
"MCP_JUMPSERVER_GUI_SUCKS_TERMINAL_IDLE_TIMEOUT_SECONDS": "3600",
"MCP_JUMPSERVER_GUI_SUCKS_TERMINAL_REAP_INTERVAL_SECONDS": "30",
"MCP_JUMPSERVER_GUI_SUCKS_MAX_TERMINAL_SESSIONS": "8"
}
}
}
}
Supported Environment Variables
The current runtime reads these environment variables:
MCP_JUMPSERVER_GUI_SUCKS_BASE_URLMCP_JUMPSERVER_GUI_SUCKS_ORG_IDMCP_JUMPSERVER_GUI_SUCKS_STATE_DIRMCP_JUMPSERVER_GUI_SUCKS_STATE_FILEMCP_JUMPSERVER_GUI_SUCKS_VERIFY_TLSMCP_JUMPSERVER_GUI_SUCKS_LOG_LEVELMCP_JUMPSERVER_GUI_SUCKS_REQUEST_TIMEOUT_SECONDSMCP_JUMPSERVER_GUI_SUCKS_TERMINAL_IDLE_TIMEOUT_SECONDSMCP_JUMPSERVER_GUI_SUCKS_TERMINAL_REAP_INTERVAL_SECONDSMCP_JUMPSERVER_GUI_SUCKS_MAX_TERMINAL_SESSIONS
The recommended minimum MCP config is usually:
MCP_JUMPSERVER_GUI_SUCKS_BASE_URL- optionally
MCP_JUMPSERVER_GUI_SUCKS_STATE_DIRorMCP_JUMPSERVER_GUI_SUCKS_STATE_FILE
PyPI Release Automation
The repository now includes publish-pypi.yml.
Its behavior is intentionally:
- every push to
maininspectspyproject.toml - if the package version changed and that version does not already exist on PyPI, GitHub Actions builds and publishes it
- if the version did not change, the workflow skips publishing
- if the version already exists on PyPI, the workflow skips publishing
workflow_dispatchcan be used to publish the current version manually when it is not yet on PyPI
The publish job uses PyPI Trusted Publishing through GitHub OIDC. Configure PyPI to trust this repository and workflow before expecting the publish step to succeed.
Recommended PyPI trusted publisher settings:
- owner:
ArtiPyHeart - repository:
mcp-jumpserver-gui-sucks - workflow file:
.github/workflows/publish-pypi.yml - environment name:
pypi
After Trusted Publishing is configured once, later pushes to main that bump project.version in pyproject.toml will publish automatically.
Current CLI Surface
mcp-jumpserver-gui-sucks loginmcp-jumpserver-gui-sucks pathsmcp-jumpserver-gui-sucks doctormcp-jumpserver-gui-sucks refresh-sessionmcp-jumpserver-gui-sucks resolve-targetmcp-jumpserver-gui-sucks koko-probemcp-jumpserver-gui-sucks terminal-execmcp-jumpserver-gui-sucks terminal-shellmcp-jumpserver-gui-sucks save-statemcp-jumpserver-gui-sucks clear-statemcp-jumpserver-gui-sucks serve
Current MCP Tools
jms_pathsjms_statusjms_terminal_usage_guidejms_profilejms_list_nodesjms_list_assetsjms_get_assetjms_list_connect_methodsjms_get_asset_accessjms_resolve_terminal_targetjms_list_connection_tokensjms_create_connection_tokenjms_expire_connection_tokenjms_refresh_terminal_authjms_probe_koko_terminaljms_acquire_terminal_sessionjms_list_terminal_sessionsjms_send_terminal_inputjms_read_terminal_outputjms_run_terminal_commandjms_interrupt_terminal_sessionjms_resize_terminal_sessionjms_close_terminal_session
Operational Notes
- Managed terminal sessions are process-local and intended to live only for the MCP server process lifetime.
jms_terminal_usage_guidereturns the preferred terminal workflow for coding agents and should be consulted at the start of terminal-heavy work.jms_acquire_terminal_sessionis the preferred high-level entrypoint for repeated work on one machine because it resolves the target and reuses an existing shell when possible.jms_run_terminal_commandis the preferred path for short command execution on an already acquiredsession_handle.jms_send_terminal_inputplusjms_read_terminal_outputare the preferred path for shell-style interaction and incremental polling.jms_interrupt_terminal_sessionis the supported way to stop a running managed-session command without throwing away the shell immediately.jms_interrupt_terminal_sessionacceptsctrl_cand the common aliasSIGINT; both normalize to the same Ctrl+C behavior.- The default managed shell idle timeout is 1 hour. Override it with
MCP_JUMPSERVER_GUI_SUCKS_TERMINAL_IDLE_TIMEOUT_SECONDSif a different retention window is required. - When the MCP server process exits normally, it closes all managed KoKo shells before returning.
terminal-shellis line-oriented, not a full raw TTY emulator.- Terminal entrypoints preflight the cookie-backed web session before opening KoKo.
- If the cookie-backed session is already invalid, terminal calls fail early with an explicit re-login requirement instead of a low-level websocket failure.
- REST discovery can continue to work when the durable
access_keyremains valid, even if terminal access requires a fresh login.
Установка Jumpserver Gui Sucks
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/ArtiPyHeart/mcp-jumpserver-gui-sucksFAQ
Jumpserver Gui Sucks MCP бесплатный?
Да, Jumpserver Gui Sucks MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Jumpserver Gui Sucks?
Нет, Jumpserver Gui Sucks работает без API-ключей и переменных окружения.
Jumpserver Gui Sucks — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Jumpserver Gui Sucks в Claude Desktop, Claude Code или Cursor?
Открой Jumpserver Gui Sucks на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Jumpserver Gui Sucks with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
