Execute SSH commands on remote hosts through a self-hosted SSH Vault instance.
User has deployed SSH Vault via Docker. Ask for their vault URL if not known.
Required env vars:
SSH_VAULT_URL — vault URLSSH_VAULT_AGENT_PRIVATE_KEY — agent Ed25519 private key (base64)SSH_VAULT_AGENT_PUBLIC_KEY — agent Ed25519 public key (base64)Fingerprint is auto-derived from public key.
docker run -d -p 3001:3001 \
-v vault-data:/app/data \
-v vault-config:/app/config \
qsobad/ssh-vault-mcp:latest
/app/config/config.yml — auto-created with localhost defaults if missing/app/data — encrypted vault storagenode scripts/vault.mjs exec <host> <command> [timeout]
Happy path (has session): returns { stdout, stderr, exitCode } immediately.
No session: returns needsApproval:
{ "needsApproval": true, "approvalUrl": "...", "listenUrl": "...", "execRequestId": "..." }
approvalUrl to user — opens /approve-exec page showing host + commandlistenUrl (SSE) for result:```
data: {"status":"pending"}
data: {"status":"approved"}
data: {"status":"executing"}
data: {"status":"completed","stdout":"...","stderr":"...","exitCode":0,"sessionId":"..."}
```
sessionId to /tmp/ssh-vault-session.json — subsequent commands skip approvalShell metacharacters (&&, ;, |, $(), backticks) are all allowed in commands.
node scripts/vault.mjs status # Vault lock status
node scripts/vault.mjs session # Cached session info
node scripts/vault.mjs register # Register agent
node scripts/vault.mjs check-unlock <id> # Check unlock & get session
node scripts/vault.mjs hosts # List hosts (needs session)
Hosts can be added by agent via API — user provides credential (password/key) during approval:
node scripts/vault.mjs request-host <name> <ip> <user> [port] [authType]
needsApproval → show approvalUrl, listen SSEHost not found → check with hostsAgent not registered → run register共 1 个版本