| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security issues seriously. If you discover a security vulnerability in the m2m-mcp-server-ssh-client, please follow these steps:
- Do not disclose the vulnerability publicly
- Email us at [email protected] with details about the vulnerability
- Allow us time to investigate and address the vulnerability
- We will coordinate the public disclosure with you once the issue is resolved
When using m2m-mcp-server-ssh-client:
- Always use host key verification in production environments
- Use SSH keys with appropriate permissions (600 on Unix systems)
- Create dedicated SSH keys for MCP connections rather than reusing existing ones
- Use passphrase-protected SSH keys
- Only disable host key verification (
--disable-host-key-checking) in trusted development environments - Consider using the key server (
--use-key-server) over HTTPS when possible - Keep the package and its dependencies updated
- Run with the least privileged user possible
The m2m-mcp-server-ssh-client includes several security features:
- SSH protocol for secure communication
- Host key verification to prevent man-in-the-middle attacks
- Support for passphrase-protected keys
- HTTPS-first approach for key server communication
- Input validation to prevent command injection
- Auto-generation of secure Ed25519 SSH keys
- Secure temporary file handling
- Permission checking for SSH key files
- Sensitive data masking in logs