Skip to main content

vssh — AI-native, drop-in ssh replacement (CLI binary + Python SDK)

Project description

vssh

CI PyPI License Release

AI asks. vssh answers.

"Show me my fleet"
"What services are running?"
"Check GPU status"
"Find all services on all servers"
"Suggest reallocation"

Just connect Claude and ask.

demo


Why vssh

vssh is not "SSH with a shorter command" — it is a different abstraction for when the operator is often an AI agent or automation runtime, not a person at a terminal.

OpenSSH vssh
Target prerequisite sshd + users + host keys + PAM one static binary, no sshd
Auth passwords / keys via PAM per-node Ed25519 VAUTH1; no shared secret
Transport SSH protocol TLS 1.3 + Ed25519 raw-key pinning
Command result raw text stream typed evidence (stdout/stderr/exit/duration)
Authorization shell = full access per-key capabilities + command policy
Audit none built in hash-chained record per action
AI / automation parse text MCP-native typed tools

Full comparison: docs/WHY_VSSH.md


AI Runtime Features

This is what makes vssh an AI execution runtime, not just an SSH replacement.

Feature What it does
Memory AI remembers each node's role, services, history
Intent "Check disk on web servers" → verified command plan
Workflow Predefined multi-step operations, invokable by name
Diff Human-readable audit log summaries
Policy Dangerous commands blocked by default
Evidence Typed results (stdout/stderr/exit/duration), not text
Audit Hash-chained, key-attributed, tamper-evident

MCP Tools

Category Tools
Memory vssh_memory — per-node role, services, tags, notes
Intent vssh_intent — natural language → command plan
Workflow vssh_workflow — multi-step flows by name
Diff vssh_diff — what changed, when, by whom
Execution vssh_exec, vssh_query, vssh_job
Fleet vssh_fleet, vssh_route, vssh_config

Install

Recommended — download, review, execute:

curl -fsSLO https://raw.githubusercontent.com/zeus-kim/vssh/main/install.sh
less install.sh        # inspect before running
chmod +x install.sh && ./install.sh

vssh recommends reviewing scripts before execution.

Fast — convenience install:

curl -fsSL https://raw.githubusercontent.com/zeus-kim/vssh/main/install.sh | bash

pip — Python SDK wrapper (auto-downloads Go binary on first run):

pip install vssh

Connect to Claude

vssh mcp-install --client claude   # or: cursor, codex, gemini

That's it. Restart Claude and ask about your fleet.


Quick start

On the target node, start the daemon:

vssh server                  # listens on :48291

Authorize a client by adding its public key to ~/.vssh/authorized_keys. Then, from the client:

vssh run web1 "df -h"        # run a command, get structured evidence
vssh web1                    # interactive shell (PTY)
vssh put ./app web1:/tmp/    # upload a file
vssh get web1:/var/log/x .   # download a file
vssh fwd web1 -L 8080:localhost:80   # port-forward
vssh                         # fleet dashboard

How it works

vssh client ──TLS 1.3──▶ vssh server ──▶ typed exec / file / job / RPC ──▶ structured evidence
            (Ed25519 pinned)   (:48291)
  1. Transport — TLS 1.3 with Ed25519 public key pinned (not a CA)
  2. Host identity — verified against trusted registry (default-on)
  3. Authentication — per-node Ed25519 challenge–response (VAUTH1)
  4. Policy + audit — commands gated, every action hash-chained
  5. Fleet state — signed, timestamped snapshot replicable to nodes

CLI reference

Execution
  vssh <node>                 Interactive PTY shell
  vssh run <node> <cmd>       Run a command (structured result)
  vssh run-many <n1,n2> <cmd> Run across nodes

Typed APIs
  vssh facts <node>           Typed host facts
  vssh rpc <node> <method>    Call a typed daemon RPC

Jobs
  vssh job-start <node> <cmd> / job-status / job-logs / job-cancel

Files & tunnels
  vssh put / get              Upload / download
  vssh fwd <node> -L/-R/-D    Port forwarding

Fleet
  vssh / vssh status          Dashboard
  vssh list                   List nodes
  vssh doctor                 Diagnose setup

Python SDK

from vssh import VSSH

client = VSSH()
client.exec("web1", "uptime")              # -> ExecResult
client.exec_many(["web1", "db1"], "uptime")
client.facts("web1")                        # typed host facts

See docs/PYTHON_SDK.md.


Security

  • Key-only auth — per-node Ed25519 (VAUTH1), no shared secret
  • Transport — TLS 1.3 with raw-key pinning
  • Policy — per-key capabilities + command allowlist
  • Audit — hash-chained, attributed, tamper-evident

Report vulnerabilities via GitHub Security Advisories.

Full model: SECURITY.md · docs/SECURITY_AUDIT_PACKAGE.md


Documentation

Building & contributing

make build      # build ./vssh
make test       # run tests
make release    # cross-compile for all platforms

See CONTRIBUTING.md.

License

Apache-2.0 — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vssh-4.3.4.tar.gz (1.2 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vssh-4.3.4-py3-none-any.whl (14.5 kB view details)

Uploaded Python 3

File details

Details for the file vssh-4.3.4.tar.gz.

File metadata

  • Download URL: vssh-4.3.4.tar.gz
  • Upload date:
  • Size: 1.2 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.9

File hashes

Hashes for vssh-4.3.4.tar.gz
Algorithm Hash digest
SHA256 226076cb6d3e144302568c953243503e87127fc42b59d568274eb591fdee459d
MD5 2d026a57580151e7b2c68d54299d622a
BLAKE2b-256 359d955826c916cbda4f50f7fb793b1415266ef6808d9418cc8431e43632f84b

See more details on using hashes here.

File details

Details for the file vssh-4.3.4-py3-none-any.whl.

File metadata

  • Download URL: vssh-4.3.4-py3-none-any.whl
  • Upload date:
  • Size: 14.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.9

File hashes

Hashes for vssh-4.3.4-py3-none-any.whl
Algorithm Hash digest
SHA256 e015243671631e24895fb15c86b62b60107bd09c0f3f34139afedd365ea2efd4
MD5 85c34acfa86a2015e46035e0292ebc62
BLAKE2b-256 09c93ff309d6771d285fd2180fb84a8554342bcc8257e23adf83bb17dc22861f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page