The authorization boundary that lets an AI agent operate real servers — without ever holding standing trust. Thirteen guarded SSH tools, a 30-second idle reaper, diff-previewed writes and a full audit trail. Built in the open by OptinAmpOut.
Hand an AI agent raw SSH and you’ve handed it standing access to your infrastructure — no scope, no allowlist, no record of what it touched. SSH-MCP puts a boundary between the agent and the host: every action is requested, evaluated and audited before anything reaches a shell. The agent operates on a leash, not on trust.
The agent never talks to the host directly. It talks to the boundary — and the boundary talks to the host.
It asks for create_ssh_session, execute_remote_command or smart_file_edit. Nothing runs yet.
Identity and scope are verified, the command is matched against an allowlist, and writes require a diff preview.
Permitted calls reach the host inside a tracked, short-lived session — never a persistent door.
Output flows back, the session is closed after 30s idle, and every step — allowed or denied — is logged.
Version 2.0 cut the server from 93 tools to 13 essentials — a 86% reduction that traded sprawl for reliability. The codebase shrank from ~6,200 lines to ~1,700, and the build from 222KB to 140KB.
Every request is checked against identity, scope and an allowlist before it executes. Destructive patterns are refused outright — a denied rm -rf never reaches the shell, and it’s logged exactly like a successful deploy.
Idle SSH connections are how you end up with zombie processes and forgotten access. SSH-MCP closes sessions aggressively, so open doors trend toward zero.
smart_file_edit runs in three modes — simple search/replace, VIM ex-commands or sed scripts — with automatic backups, syntax validation and a dry-run preview.
Every request — allowed or denied — is logged with identity, scope and outcome. That trail is what a security team signs off on.
A session is a short-lived grant carrying an identity, a scope (read / exec / write) and a host set — with adaptive connection pooling, per-host limits and real-time pool, performance and security metrics exposed.
Sessions, remote exec, SFTP and smart file-editing — each behind the policy guard.
| Tool | What it does |
|---|---|
| Session management | |
quick_connect | Connect to a predefined server from .env. |
create_ssh_session | Open a custom SSH session with full configuration. |
list_sessions | List all active SSH sessions. |
close_session | Close a session and reclaim its resources. |
list_predefined_servers | List every server available from .env. |
check_device_availability | Check a host is reachable before connecting. |
| Execution & files | |
execute_remote_command | Run a shell command on the remote host. |
transfer_file | Upload / download files over SFTP. |
smart_file_edit | Edit files in 3 modes — simple, VIM ex, or sed — with backup, syntax-check and dry-run. |
create_or_update_sitemap | Generate sitemap.xml for a website root. |
| Monitoring & analytics | |
get_performance_metrics | Real-time connection-pool performance and recommendations. |
get_pool_statistics | Detailed connection-pool statistics. |
get_security_metrics | Failed authentications and threat signals. |
Runs on Node.js 20+. Configuration is environment-variable only — no sprawling config files. Register it with any MCP client and your agent discovers the guarded surface.
{
"mcpServers": {
"ssh-mcp": {
"command": "node",
"args": ["/path/to/ssh-mcp/dist/index.js"],
"env": { "SSH_MAX_IDLE_TIME": "30000" }
}
}
}
# Ask the agent in plain language: Connect to the prod server and show me nginx status. # Under the hood, on a leash: quick_connect(prod) → execute_remote_command("systemctl status nginx") # guard checks scope · runs · returns output · reaps the session
SSH-MCP is the flagship of our open-source agentic-infrastructure toolchain — the same boundary we deploy and harden for client teams running agents against real infrastructure.
We design, deploy and harden the authorization layer for teams running AI agents against real infrastructure. Tell us what you’re trying to ship.
Book a build call →