Python SSH MCP
经 AI Skill Hub 精选评估,Python SSH MCP 获评「推荐使用」。这款MCP工具在功能完整性、社区活跃度和易用性方面表现出色,AI 评分 7.5 分,适合有一定技术背景的用户使用。
📚 深度解析
通过安装 Python SSH MCP,你的 AI 助手将获得额外的工具调用能力,可以用自然语言直接操控该工具的功能,无需学习复杂的命令行语法。MCP 工具的核心价值在于"一次配置,永久增强"——配置完成后,每次与 AI 对话时都可以无缝调用这些工具。
在技术实现上,MCP 工具通过标准的 JSON-RPC 协议与 AI 客户端通信,工具的功能以"工具列表"的形式暴露给 AI 模型,AI 可以按需调用。Python SSH MCP 提供了结构化的工具调用接口,使 AI 模型能够精确地理解和使用每个功能点,显著降低 AI 在工具使用上的错误率。
与传统的 API 集成相比,MCP 工具的优势在于无需编写代码——用户只需在配置文件中添加几行 JSON,即可让 AI 获得全新能力。AI Skill Hub 将 Python SSH MCP 评为 AI 评分 7.5 分,属于同类工具中的优质选择。
📋 工具概览
Python SSH MCP 是一款遵循 MCP(Model Context Protocol)标准协议的 AI 工具扩展。通过 MCP 协议,它可以让 Claude、Cursor 等主流 AI 客户端直接访问和操作外部工具、数据源和服务,实现 AI 能力的无缝扩展。无论是文件操作、数据库查询还是 API 调用,都可以通过自然语言在 AI 对话中直接触发,极大提升生产效率。
📖 中文文档
Python SSH MCP 是一款遵循 MCP(Model Context Protocol)标准协议的 AI 工具扩展。通过 MCP 协议,它可以让 Claude、Cursor 等主流 AI 客户端直接访问和操作外部工具、数据源和服务,实现 AI 能力的无缝扩展。无论是文件操作、数据库查询还是 API 调用,都可以通过自然语言在 AI 对话中直接触发,极大提升生产效率。
- 通过标准 MCP 协议与 Claude、Cursor 等主流 AI 客户端深度集成
- 提供结构化工具调用接口,显著降低 AI 集成复杂度
- 支持 Claude Desktop 和 Claude Code 无缝接入,开箱即用
- 可与其他 MCP 工具组合叠加,构建完整 AI 工作站
- 轻量无侵入设计,不影响现有系统架构
- 在 Claude Desktop 对话中直接调用本地工具,实现 AI 与系统的深度联动
- 通过自然语言驱动复杂的多步骤自动化任务,代替繁琐手动操作
- 将多个 MCP 工具组合使用,构建个人专属 AI 工作站
# 方式一:通过 Claude Code CLI 一键安装
claude skill install https://github.com/Nightreaver/python-ssh-mcp
# 方式二:手动配置 claude_desktop_config.json
{
"mcpServers": {
"python-ssh-mcp": {
"command": "npx",
"args": ["-y", "python-ssh-mcp"]
}
}
}
# 配置文件位置
# macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
# Windows: %APPDATA%/Claude/claude_desktop_config.json
- 确认已安装 Node.js(v18 或以上版本)
- 打开 Claude Desktop 或 Claude Code 的 MCP 配置文件
- 按「交给 Agent 安装 → Claude Desktop」标签中的 JSON 配置填入 mcpServers 字段
- 保存配置文件并重启 Claude 客户端
- 重启后,在对话中即可使用本工具
# 安装后在 Claude 对话中直接使用 # 示例: 用户: 请帮我用 Python SSH MCP 执行以下任务... Claude: [自动调用 Python SSH MCP MCP 工具处理请求] # 查看可用工具列表 # 在 Claude 中输入:"列出所有可用的 MCP 工具"
// claude_desktop_config.json 配置示例
{
"mcpServers": {
"python_ssh_mcp": {
"command": "npx",
"args": ["-y", "python-ssh-mcp"],
"env": {
// "API_KEY": "your-api-key-here"
}
}
}
}
// 保存后重启 Claude Desktop 生效
Python SSH MCP
An SSH MCP server built in Python on top of FastMCP. The goal: give an LLM real SSH access to many hosts while keeping fine-grained control over what it can and can't do. The configuration surface is deliberately broad — probably overkill if you just want a single ssh_exec tool, but it pays off once you start connecting more than one host or locking the agent down to specific paths, commands, and visibility tiers. If a tool you need isn't here, open an issue.
Currently implemented: 70 tools across 10 groups, 968 passing unit tests + 6 dockerized-sshd integration tests + an opt-in tests/e2e/ suite that drives every tool against the operator's real hosts.toml. Strict known_hosts by default, path-allowlist confinement on every path-bearing tool, SHA-256-hashed audit log, operator-pluggable hooks. Most tools return typed Pydantic results so MCP clients see real schemas in tools/list (not generic object); the few that legitimately produce merged or bimodal payloads stay as dict[str, Any] with the rationale documented at the function. POSIX SSH targets supported end-to-end; Windows SSH targets supported for SFTP + file-ops + ssh_file_hash via PowerShell -EncodedCommand (see ADR-0023); Docker CLI swappable for Podman via SSH_DOCKER_CMD / per-host docker_cmd.
Features
- MCP-compliant server exposing SSH over stdio (or HTTP if you prefer); transport speaks MCP directly, no shim.
- Four-tier access model —
read/low-access/dangerous/sudo. Each tier is toggled with its own env flag and enforced via FastMCPVisibilitytransforms. Default: read-only. - Ten tool groups orthogonal to tiers (
host,session,sftp-read,file-ops,exec,sudo,shell,docker,systemctl,pkg).SSH_ENABLED_GROUPStrims the catalog to what a given assistant actually needs. - 70 tools: see TOOLS.md for the complete per-tool reference. Highlights:
- Read-only probes (ping, host info, disk usage, processes, alerts, known-hosts verify)
- SFTP reads (list, stat, download, find) with remote-realpath confinement
- Low-access file ops (cp, mv, mkdir, delete, delete_folder, edit, patch, upload, deploy) — SFTP-first, atomic writes
- Exec tier with per-call timeout, streaming variant, and TTY-need hint in results
- Sudo tier (password piped via stdin, never argv; env passwords hard-rejected at startup)
- 22 Docker tools (ps, logs, inspect, stats, images, compose up/down/logs/..., container lifecycle, exec, run)
- 3 APT/package tools (
ssh_apt_list,ssh_apt_search,ssh_apt_show) — Debian/Ubuntu package inspection; non-Debian hosts get a cleanPlatformNotSupported - Persistent shell sessions with cwd tracking (no remote PTY, sentinel-based state)
- Strict
known_hosts— no auto-accept; unknown or mismatched keys fail closed. - Path confinement on everything — each path-bearing tool canonicalizes via remote
realpath(or SFTP realpath on Windows) and checks the allowlist, withrestricted_pathscarve-outs for sensitive zones. - Per-host policy in
hosts.toml— users, keys, allowlists, sudo mode, platform, proxy chains, alert thresholds, persistent-session opt-out. - Windows SSH target support for SFTP + file-ops (see ADR-0023); POSIX-only tools refuse Windows targets with a clean
PlatformNotSupportedthat names the missing capability. - Audit log — one JSON line per tool call (all tiers), paths/commands SHA-256-hashed,
errorfield is exception class only (full text stays at DEBUG locally). - Operator hooks: import any module via
SSH_HOOKS_MODULEforSTARTUP/SHUTDOWN/PRE_TOOL_CALL/POST_TOOL_CALLevents. Bounded per-hook timeout, exception isolation, backlog warning when pending tasks pile up. - Runbooks via FastMCP Skills — per-tool
SKILL.mdfiles give the LLM scoped how-to docs on demand. - BM25 tool search (optional) — replaces
tools/listwithsearch_tools+call_toolonce 50+ schemas start eating context. - Tool catalog overview logged at startup (per-tier and per-group counts) so operators can see exactly what the LLM will be offered.
Installation
Python SSH MCP is a standard PEP 621 Python package (hatchling build backend). Use whichever installer you prefer — uv is the recommended path:
```bash uv sync # create .venv + install runtime deps + dev extras uv run ssh-mcp # start the server on stdio
Or without syncing a venv first — build + run in an ephemeral environment:
uvx --from . ssh-mcp
Plain pip also works (PEP 517):
pip install -e ".[dev]" ssh-mcp
FastMCP shortcuts (once the package is installed):
fastmcp dev inspector # dev UI: MCP Inspector + hot reload; auto-finds fastmcp.json fastmcp run # run the server; auto-finds fastmcp.json fastmcp run -t http -p 8000 # HTTP transport instead of stdio ```
Optional dependency groups:
.[tasks]— adds the Redis client (redis>=5.0.0) for a production task backend. The FastMCP tasks runtime itself (docket, in-memory by default) is a hard dep viafastmcp[tasks]and ships regardless — install this extra only when pointingFASTMCP_DOCKET_URLat a real Redis (task-loss on restart matters in prod withALLOW_DANGEROUS_TOOLS=true; see_warn_task_backend)..[telemetry]— OpenTelemetry distro + OTLP exporter..[dev]— pytest, ruff, mypy.
MCP clients (Claude Desktop, Claude Code, Cursor) discover the server via fastmcp.json.
Client Setup
Every major MCP client accepts a JSON snippet that tells it how to spawn the server. The shape is standardized around an mcpServers object — only the file path differs per client. Pick your client, paste the snippet into the right file, restart the client so the subprocess is respawned.
Heads-up:fastmcp.json'sdeployment.envblock (if you keep one in the project) overrides the client env unconditionally — keep tier flags out of that block and let them come from the client config or your.env. If the client appears to hold a stale subprocess after code changes, see Troubleshooting — most clients spawn and own the server subprocess, so a terminal-side restart is not enough.
The base snippet (used by Claude Desktop, Cursor, Windsurf, Kilocode — most clients speak this dialect):
{
"mcpServers": {
"ssh-mcp": {
"command": "uvx",
"args": ["--from", "git+https://github.com/Nightreaver/python-ssh-mcp", "ssh-mcp"],
"env": {
"LOG_LEVEL": "INFO",
"ALLOW_LOW_ACCESS_TOOLS": "false",
"ALLOW_DANGEROUS_TOOLS": "false",
"ALLOW_SUDO": "false"
}
}
}
}uvx --from <path> ssh-mcp builds and runs the server in an ephemeral uv-managed environment; no persistent venv needed on the client side. Alternative: replace with "command": "fastmcp", `"args": ["run", "<path-to-clone>/fastmcp.json"]` if you already have a venv with fastmcp on PATH.
Flip the ALLOW_* flags as you grant capability to the assistant. Keep read-only as the default and open the exec/sudo tiers only where you need them.
Quick Start
- Install python-ssh-mcp
- Write your first
hosts.tomlentry (Walkthrough §3) - Set up your MCP Client (Claude Desktop, Claude Code, Cursor, ...)
- Ask the LLM to run
ssh_host_pingagainst your target — verifies agent +known_hosts+ pool end-to-end - Flip the tier flags you need (
ALLOW_LOW_ACCESS_TOOLS,ALLOW_DANGEROUS_TOOLS,ALLOW_SUDO) and the LLM unlocks file ops, exec, sudo — see CONFIGURATION.md → Access tiers
CONFIGURATION.md — configuring more hosts, access tiers, allowlist/blocklist, tool groups, Docker/Podman, per-host SSH identity, known_hosts management, sudo. ADVANCED.md — runbooks (FastMCP Skills), hooks, observability, testing, key rotation, architecture, contributing.
→ 256 SHA256:abc123... web01.example.com (ED25519)
Compare that `SHA256:...` against a source you trust that is not the network you just scanned over: the host's provisioner output, a console session, a terraform output, the sysadmin's Signal message. **If they don't match, stop.** A typo or MITM would pin a hostile key as trusted.
4. Write `.env`
```bash
Optional safety rail
SSH_HOSTS_BLOCKLIST= ```
VS Code (GitHub Copilot Chat / Agent Mode)
VS Code's MCP support (1.102+) uses a slightly different key. Config file:
- Per-workspace:
<workspace>/.vscode/mcp.json - Global user settings:
settings.json→"mcp.servers"
Workspace .vscode/mcp.json:
{
"servers": {
"ssh-mcp": {
"type": "stdio",
"command": "uvx",
"args": ["--from", "git+https://github.com/Nightreaver/python-ssh-mcp", "ssh-mcp"],
"env": {
"LOG_LEVEL": "INFO",
"ALLOW_LOW_ACCESS_TOOLS": "false",
"ALLOW_DANGEROUS_TOOLS": "false",
"ALLOW_SUDO": "false"
}
}
}
}Note the top-level key is servers (not mcpServers) and each entry carries a "type": "stdio" discriminator. Reload the VS Code window (Developer: Reload Window) to respawn.
2b. Print the fingerprint and compare OUT-OF-BAND.
ssh-keygen -lf /tmp/web01.hostkey
Troubleshooting
高质量的MCP工具,易于使用
- 需要让 Claude / Cursor 操作本地工具的 AI 工程师
- 配置 MCP 服务器时建议使用 stdio 传输 + JSON-RPC,避免暴露公网
- API key 直接提交到 git 仓库(请用 .env 并加入 .gitignore)
- MCP 配置路径拼错或权限不足,重启 Claude Desktop 才生效
- Python 依赖冲突:建议用 venv / uv 隔离环境
- 云端托管:可放在 Vercel / Railway / Fly.io 等 PaaS 平台
⚡ 核心功能
- 通过标准 MCP 协议与 Claude、Cursor 等主流 AI 客户端深度集成
- 提供结构化工具调用接口,显著降低 AI 集成复杂度
- 支持 Claude Desktop 和 Claude Code 无缝接入,开箱即用
- 可与其他 MCP 工具组合叠加,构建完整 AI 工作站
- 轻量无侵入设计,不影响现有系统架构
- 需要让 Claude / Cursor 操作本地工具的 AI 工程师
- 配置 MCP 服务器时建议使用 stdio 传输 + JSON-RPC,避免暴露公网
- API key 直接提交到 git 仓库(请用 .env 并加入 .gitignore)
- MCP 配置路径拼错或权限不足,重启 Claude Desktop 才生效
- Python 依赖冲突:建议用 venv / uv 隔离环境
👥 适合人群
🎯 使用场景
- 在 Claude Desktop 对话中直接调用本地工具,实现 AI 与系统的深度联动
- 通过自然语言驱动复杂的多步骤自动化任务,代替繁琐手动操作
- 将多个 MCP 工具组合使用,构建个人专属 AI 工作站
⚖️ 优点与不足
- +GPL-3.0 协议,可免费商用
- +标准化 MCP 协议,生态互联性强
- +与 Claude 官方生态无缝对接
- +即插即用,配置简单快捷
- −依赖 Claude 客户端,非 Claude 用户无法使用
- −MCP 协议仍在持续演进,接口可能变更
- −需要一定的配置步骤
AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。
建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。
⚠️ GPL 3.0 — 强 Copyleft,衍生作品须开源,含专利保护条款,不可闭源使用。
❓ 常见问题 FAQ
AI Skill Hub 点评:Python SSH MCP 的核心功能完整,质量良好。对于Claude Desktop / Claude Code 用户来说,这是一个值得纳入个人工具库的选择。建议先在非生产环境试用,再逐步推广。
| 原始名称 | python-ssh-mcp |
| 原始描述 | 开源MCP工具:A SSH MCP Server using FastMCP. Its builds on a sophisticated tools and permissi。⭐5 · Python |
| Topics | sshmcpfastmcp |
| GitHub | https://github.com/Nightreaver/python-ssh-mcp |
| License | GPL-3.0 |
| 语言 | Python |
收录时间:2026-05-28 · 更新时间:2026-05-30 · License:GPL-3.0 · AI Skill Hub 不对第三方内容的准确性作法律背书。