ssh-mcp-pro is a secure Model Context Protocol (MCP) server for SSH automation, enabling clients to open SSH sessions, run commands, manage files, transfer artifacts, create tunnels, and perform package/service operations under policy control.
Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.
Install from
M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.
process.env. You'll be asked to provide them before it can run.ACCESS_TOKEN_TTL_SECONDSAGENT_WS_PATHAUTH_ALLOWED_GITHUB_IDSAUTH_ALLOWED_GITHUB_LOGINSAUTH_ALLOW_ALL_USERSAUTH_CODE_TTL_SECONDSCOMMIT_RANGECONTROL_PLANE_SIGNING_KEY_PATHComSpecDATABASE_URLENROLLMENT_TOKEN_TTL_SECONDSGITHUB_CALLBACK_URLGITHUB_CLIENT_IDGITHUB_CLIENT_SECRETGITHUB_PR_TITLEGITHUB_STEP_SUMMARYJWT_SIGNING_KEY_PATHKNOWN_HOSTS_PATH— The parser also accepts non-SSH_MCP_ compatibility aliases PORT, , and STRICT_HOST_KEY_CHECKING.LOG_FORMATLOG_LEVELMAX_ACTION_TIMEOUT_SECONDSMAX_OUTPUT_BYTESMCP_RESOURCE_URLOAUTH_DCR_MAX_CLIENTSPORT— The parser also accepts non-SSH_MCP_ compatibility aliases , KNOWN_HOSTS_PATH, and STRICT_HOST_KEY_CHECKING.PR_TITLEPUBLIC_BASE_URLRUN_SSH_E2ERUN_SSH_INTEGRATIONSSHAUTOMATOR_AGENT_CONFIGSSHAUTOMATOR_DATABASE_URLSSHAUTOMATOR_GITHUB_CALLBACK_URLSSHAUTOMATOR_MCP_RESOURCE_URLSSHAUTOMATOR_PUBLIC_BASE_URLSSHAUTOMATOR_REMOTE_AGENT_CONTROL_PLANESSHAUTOMATOR_TEST_GITHUB_IDSSHAUTOMATOR_TEST_GITHUB_LOGINSSH_AUTH_SOCKSSH_DEFAULT_KEY_DIRSSH_FIXTURE_TIMEOUT_MSSSH_FIXTURE_UP_ATTEMPTSSSH_FIXTURE_UP_RETRY_DELAY_MSSSH_MCP_ALLOWED_CIPHERS— empty Optional SSH cipher allowlist.SSH_MCP_ALLOWED_HOSTS— empty Host allowlist for policy and remote connector safety checks.SSH_MCP_ALLOW_DESTRUCTIVE_COMMANDS— false Allows commands matching destructive command policy.SSH_MCP_ALLOW_DESTRUCTIVE_FS— false Allows destructive filesystem operations such as fs_rmrf.SSH_MCP_ALLOW_RAW_SUDO— false Allows raw proc_sudo; prefer ensure_ tools.SSH_MCP_ALLOW_ROOT_LOGIN— false Allows SSH login as root and mirrors into policy.SSH_MCP_CHATGPT_EXTRA_TOOLSSSH_MCP_CLAUDE_EXTRA_TOOLSSSH_MCP_COMMAND_ALLOW— empty Command allow patterns.SSH_MCP_COMMAND_DENY— empty Command deny patterns.SSH_MCP_COMMAND_TIMEOUT— 30000 Default remote command timeout in milliseconds.SSH_MCP_CONNECTOR_CREDENTIAL_COMMAND— unset External credential command when provider is command.SSH_MCP_CONNECTOR_CREDENTIAL_COMMAND_ARGS— empty Arguments passed to the external credential command.SSH_MCP_CONNECTOR_CREDENTIAL_COMMAND_TIMEOUT_MS— 5000 Credential command timeout in milliseconds.SSH_MCP_CONNECTOR_CREDENTIAL_PROVIDER— none Credential provider: none, agent, or command.SSH_MCP_CONNECTOR_DEFAULT_USERNAME— unset Default username for connector broker flows.SSH_MCP_CONNECTOR_PROFILE— full Alias for SSH_MCP_TOOL_PROFILE.SSH_MCP_DAEMONSSH_MCP_DEBUG— false Enables debug-oriented configuration behavior.SSH_MCP_ENABLE_LEGACY_SSE— false Enables legacy SSE compatibility.SSH_MCP_HOST_KEY_POLICY— strict Host-key mode: strict, accept-new, or insecure.SSH_MCP_HTTP_ALLOWED_ORIGINSSSH_MCP_HTTP_AUTH_MODE— bearer HTTP auth mode: bearer or oauth.SSH_MCP_HTTP_BEARER_TOKENSSH_MCP_HTTP_BEARER_TOKEN_FILE— unset Bearer token file for HTTP transport. Required for non-loopback bearer deployments.SSH_MCP_HTTP_HOST— 127.0.0.1 Streamable HTTP bind host.SSH_MCP_HTTP_MAX_REQUEST_BODY_BYTES— 1048576 Maximum HTTP request body size.SSH_MCP_HTTP_MAX_SESSIONSSSH_MCP_HTTP_PORT— 3000 Streamable HTTP bind port.SSH_MCP_HTTP_PUBLIC_URL— unset Stable public HTTPS MCP URL for protected resource metadata.SSH_MCP_HTTP_SESSION_IDLE_TTL_MS— 900000 HTTP MCP session idle timeout in milliseconds. Use 300000 for ChatGPT/Cloudflare production deployments where clients may abandon sessions without DELETE.SSH_MCP_HTTP_TRUST_PROXY— false Trust reverse proxy forwarded headers.SSH_MCP_KNOWN_HOSTS_PATH— ~/.ssh/known_hosts Known hosts file used for strict host-key verification.SSH_MCP_LOCAL_PATH_ALLOW_PREFIXES— OS temp directory Local paths allowed for transfer operations.SSH_MCP_LOCAL_PATH_DENY_PREFIXES— empty Local paths denied for transfer operations.SSH_MCP_MAX_COMMAND_OUTPUT_BYTES— 1048576 Maximum buffered stdout/stderr bytes per command result.SSH_MCP_MAX_FILE_SIZE— 10485760 Maximum bytes returned by text-focused file reads.SSH_MCP_MAX_FILE_WRITE_BYTES— 10485760 Maximum accepted write payload before buffering.SSH_MCP_MAX_SESSIONS— 20 Maximum concurrent SSH sessions.SSH_MCP_MAX_STREAM_CHUNKS— 4096 Maximum retained streaming chunks.SSH_MCP_MAX_TRANSFER_BYTES— 52428800 Maximum upload or download transfer size.SSH_MCP_OAUTH_ALLOWED_ALGORITHMS— unset Optional comma-separated JWT algorithm allowlist, for example RS256,ES256. When unset, the built-in OAuth verifier defaults are used.SSH_MCP_OAUTH_AUDIENCE— unset Expected OAuth audience.SSH_MCP_OAUTH_ISSUER— unset Expected OAuth issuer.SSH_MCP_OAUTH_JWKS_URL— unset OAuth JWKS URL.SSH_MCP_OAUTH_REQUIRED_SCOPES— ssh-mcp-pro.read Required OAuth scopes.SSH_MCP_OAUTH_RESOURCE— unset OAuth protected resource identifier.SSH_MCP_ONESHOTSSH_MCP_PATH_ALLOW_PREFIXES— /tmp,/var/tmp,/home,/Users Remote path prefixes allowed by filesystem policy.SSH_MCP_PATH_DENY_PREFIXES— /etc/sudoers,/etc/shadow,/etc/passwd,/boot,/dev,/proc Remote path prefixes denied by filesystem policy.SSH_MCP_POLICY_FILE— unset JSON file containing partial policy overrides.SSH_MCP_POLICY_MODE— enforce Policy decision mode: enforce or explain.SSH_MCP_RATE_LIMIT— true Enables the global MCP request rate limiter.SSH_MCP_RATE_LIMIT_MAX— 100 Maximum requests per rate-limit window.SSH_MCP_RATE_LIMIT_PER_SESSION— true Enables per-session MCP request rate limiting when tool arguments include sessionId.SSH_MCP_RATE_LIMIT_PER_SESSION_MAX— 50 Maximum requests per SSH session per rate-limit window.SSH_MCP_RATE_LIMIT_PER_SESSION_WINDOW_MS— 60000 Per-session rate-limit window in milliseconds.SSH_MCP_RATE_LIMIT_WINDOW_MS— 60000 Rate-limit window in milliseconds.SSH_MCP_REMOTE_AGENT_CONTROL_PLANESSH_MCP_REMOTE_AGENT_MCP_PASSTHROUGH— unset When enabled with 1, true, yes, or on, lets /mcp requests bypass the remote control plane and reach the Streamable HTTP MCP handler. Use only for connector routing migrations.SSH_MCP_SESSION_TTL— 900000 Session time-to-live in milliseconds.SSH_MCP_STRICT_HOST_KEY— unset Legacy boolean alias for strict vs insecure host-key checking.SSH_MCP_TOOL_PROFILE— full Active tool exposure profile.SSH_MCP_TUNNEL_ALLOW_BIND_HOSTS— 127.0.0.1,localhost,::1 Local bind hosts allowed for tunnels.SSH_MCP_TUNNEL_ALLOW_PORTS— empty Optional tunnel port allowlist.SSH_MCP_TUNNEL_ALLOW_REMOTE_HOSTS— empty Optional remote tunnel target host allowlist.SSH_MCP_TUNNEL_DENY_BIND_HOSTS— 0.0.0.0,:: Local bind hosts denied for tunnels.SSH_MCP_TUNNEL_DENY_PORTS— empty Optional tunnel port denylist.SSH_MCP_TUNNEL_DENY_REMOTE_HOSTS— empty Optional remote tunnel target host denylist.STRICT_HOST_KEY_CHECKING— The parser also accepts non-SSH_MCP_ compatibility aliases PORT, KNOWN_HOSTS_PATH, and .[](https://m8ven.ai/mcp/oaslananka-ssh-mcp-pro-1lwwxm)