Skip to main content

Local-first SSH host and credential manager for humans and AI agents — OS-keychain vault, loopback web UI, agent-safe by design

Project description

SSH Server Manager

A local-first SSH host and credential manager for humans and AI agents. One CLI (serverctl) and a loopback-only web UI to add, import, test, and connect to your servers — with every password and passphrase stored in your operating system's native credential vault, never in a plaintext file.

test PyPI release license

简体中文说明 · Documentation · Security model · Website

🤖 Using an AI agent? The skill deploys to every agent on your machine in one line — dependencies, links, and health check included. See the agent deployment guide.


Why this exists

Most SSH managers make you choose between convenience and custody:

  • Cloud-synced clients (subscription GUIs) keep your credentials on someone else's infrastructure.
  • Plain ~/.ssh/config keeps you in control but handles no passwords, no vault, and gives AI coding agents an easy way to leak secrets.
  • sshpass-style wrappers put passwords in files, env vars, or shell history.

SSH Server Manager is different by construction:

Property How
Secrets never touch disk in plaintext macOS Keychain / Windows Credential Locker / Linux Secret Service via keyring; unsafe backends are rejected as a hard error
Your ~/.ssh/config is never modified A separate managed config is rendered and included alongside it
The web UI is unreachable from the network Loopback-only bind, one-time launch token, CSRF + Origin checks, strict CSP
Revealing a stored secret requires re-auth WebAuthn passkey (Touch ID / Windows Hello) or an Argon2id master password; grants are single-use and expire in 30 s
AI agents can drive it without seeing secrets Every command has --json; SSH authentication happens through AskPass so secrets never appear in argv, env, logs, or model context
Host keys are always verified StrictHostKeyChecking is never weakened, by policy and by code

Quick start

git clone https://github.com/xiayh0107/servers-connect.git
cd servers-connect/ssh-server-manager
./scripts/bootstrap          # Windows: scripts\bootstrap.cmd
./scripts/serverctl doctor   # verify ssh, vault backend, and dependencies

Add a server and connect:

./scripts/serverctl credential add-password work-password   # prompts locally, stores in OS vault
./scripts/serverctl server add web1 --hostname web1.example.com --username deploy --credential work-password
./scripts/serverctl server test web1
./scripts/serverctl connect web1

Or import everything you already have:

./scripts/serverctl server import          # preview only
./scripts/serverctl server import --apply

Prefer a GUI? ./scripts/serverctl ui opens the local web interface in your browser with a one-time tokenized URL.

Features

  • Connection profiles — alias, host, port, user, project/scenario tags, notes, ordered ProxyJump chains (with cycle detection).
  • Three credential kinds — vault-backed passwords, private keys with optional vault-backed passphrases, and ssh-agent/OpenSSH defaults. Credentials are reusable across servers and protected against deletion while referenced.
  • OpenSSH import — parses your ~/.ssh/config (following Include), resolves each literal alias with ssh -G, previews before applying.
  • Managed config rendering — atomic, user-only-permission writes to ~/.ssh/ssh-server-manager.conf; your original config always loads last so unrelated defaults keep working.
  • Connection testingserver test reports latency and a classified error code (authentication-failed, host-key-untrusted, timeout, dns-failed, …) and records history.
  • Remote executionserverctl exec alias -- cmd args, with --shell for pipelines, --stdin/--stdin-binary for streaming files, --reuse N for ControlMaster connection sharing (macOS/Linux), and --json for machine-readable results.
  • Local web UI — manage servers and credentials, test connections, create/rename/delete tags and bulk-assign searchable hosts, choose system/light/dark themes, import config, browse remote directories read-only over SFTP, copy file references for an agent, and reveal a stored secret after passkey or master-password re-authentication. Connection status expires instead of staying green.
  • Diagnosticsserverctl doctor checks ssh availability and version, SFTP availability, vault backend safety, database and config paths, and Python dependencies.

Platform support

macOS Linux Windows
CLI + web UI
Credential vault Keychain Secret Service (gnome-keyring / KWallet / KeePassXC) Credential Locker
Secret reveal re-auth Touch ID passkey or master password passkey or master password Windows Hello passkey or master password
Connection reuse (--reuse) — (OpenSSH ControlMaster needs Unix sockets; a warning is printed)

Details and headless-server notes: docs/platforms.md. CI runs the full test suite on all three platforms.

For AI agents

This project ships as an Agent Skill (SKILL.md) so Claude Code, Codex, and other agents can manage servers safely: agents get structured JSON output and connection error classification, while the AskPass architecture keeps secrets out of the model's context by design.

Deploy the skill with one line:

curl -fsSL https://raw.githubusercontent.com/xiayh0107/servers-connect/main/install.sh | sh

It links the skill into every detected agent (~/.claude/skills, ~/.codex/skills, …), installs dependencies, and runs doctor. Windows uses install.ps1. See docs/ai-agents.md.

Documentation

Doc Contents
docs/installation.md Per-platform install, requirements, bootstrap
docs/quickstart.md First 10 minutes, common workflows
docs/cli.md Complete serverctl reference
docs/web-ui.md Web UI walkthrough and its security gates
docs/security.md Threat model and security invariants
docs/platforms.md Platform-specific behavior, headless Linux
docs/ai-agents.md Using with Claude Code / Codex / MCP
docs/faq.md Troubleshooting and common questions

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ssh_server_manager-0.4.0.tar.gz (82.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ssh_server_manager-0.4.0-py3-none-any.whl (75.6 kB view details)

Uploaded Python 3

File details

Details for the file ssh_server_manager-0.4.0.tar.gz.

File metadata

  • Download URL: ssh_server_manager-0.4.0.tar.gz
  • Upload date:
  • Size: 82.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.1

File hashes

Hashes for ssh_server_manager-0.4.0.tar.gz
Algorithm Hash digest
SHA256 3bab8aeb6055f89790263d31a3927dfab7baf5d372fa58904265a2ba47a97c98
MD5 55b4d629d0fedcf9d416cdf4b9f8333f
BLAKE2b-256 009cc6f71308fe8b95582c1ca865ac6250021ad1a4a9616f9b57f17c280a8801

See more details on using hashes here.

File details

Details for the file ssh_server_manager-0.4.0-py3-none-any.whl.

File metadata

File hashes

Hashes for ssh_server_manager-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 d88532a6c2ce039272777e62ed2857d6cad1d8ef194122b96572234eb201a81e
MD5 3726ca7b0bbd3ebc53bd4432da2a72ea
BLAKE2b-256 d3b23325fc1f39e214f2974bfad9182df31ef32f2a69ff67bb9793fa573a89d3

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page