Skip to content

luoshuijs/ssh-mcp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src
src
 
 
tests/fixtures
tests/fixtures
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

ssh-mcp

Rust stdio MCP server for SSH operations using russh.

Supported SSH config fields

  • Host
  • HostName
  • User
  • Port
  • IdentityFile
  • IdentitiesOnly
  • ForwardAgent is parsed and surfaced; remote agent forwarding is not guaranteed in the first version.

Unsupported OpenSSH directives such as Include, Match, ProxyJump, and ProxyCommand are not implemented.

Authentication

The server uses SSH_AUTH_SOCK for SSH agent authentication. 1Password SSH agent works when 1Password exposes a standard SSH agent socket and SSH_AUTH_SOCK points to it. Configured IdentityFile entries are used as fallback authentication methods. IdentitiesOnly yes disables agent identity iteration and uses configured identity files only.

Runtime settings

  • SSH_MCP_HOST_KEY_POLICY: strict, accept-new, or insecure-accept-any. Defaults to accept-new.
  • SSH_MCP_SESSION_IDLE_TIMEOUT_MS: default wait timeout for read_shell when no per-call timeout is supplied. Defaults to 30 minutes.
  • SSH_MCP_MAX_TRANSFER_BYTES: SFTP payload limit. Defaults to 8 MiB.
  • SSH_MCP_MAX_OUTPUT_BYTES: command and shell output limit. Defaults to 1 MiB.

Host key policy

Host keys are checked against the ssh-mcp trust store at the platform config directory path ssh-mcp/host_keys.json as returned by dirs::config_dir().

  • strict: require the host key to already exist in the trust store and match.
  • accept-new: trust and store first-seen host keys, then reject changed keys.
  • insecure-accept-any: accept host keys without checking or storing them.

Unix permission hardening rejects group/world-writable trust store paths. On Windows, ssh-mcp relies on the user's profile and config-directory ACLs; it does not perform additional Windows ACL validation.

Tools

  • list_hosts: list hosts parsed from the default SSH config.
  • run_command: run a command on a configured SSH host.
  • Shell tools: open_shell, write_shell, read_shell, and close_shell.
  • SFTP tools: sftp_list, sftp_upload, sftp_download, sftp_remove, and sftp_mkdir.
  • Forwarding tools: forward_local, forward_remote, forward_dynamic, and close_forward.

Tool responses use MCP JSON content. SFTP upload reads a local local_path and writes it to a remote remote_path. SFTP download reads a remote remote_path and writes it to a local local_path. Both directions are limited by SSH_MCP_MAX_TRANSFER_BYTES.

Build

cargo build --release

MCP client configuration

Configure the MCP client to start the compiled ssh-mcp binary over stdio.

Example shape:

{
  "mcpServers": {
    "ssh-mcp": {
      "command": "/path/to/ssh-mcp"
    }
  }
}

Use the exact configuration format required by your MCP client.

About

Rust stdio MCP server for SSH operations using russh

Topics

rust ssh mcp russh

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages