How to Gate SSH Connections from AI Agents

SafeClaw by Authensor blocks SSH connections from AI agents by default, preventing unauthorized remote access to servers, lateral movement across infrastructure, and SSH key exfiltration. Install SafeClaw with npx @authensor/safeclaw and every SSH-related action — ssh, scp, sftp, SSH key generation, and key file reads — is denied and audit-logged.

Why SSH Connections Are Dangerous When AI Agents Do It

SSH provides authenticated shell access to remote machines. An agent that can SSH into a server inherits that server's permissions, file system, network position, and credentials. This enables lateral movement — the agent jumps from your workstation to a production server, then from there to a database host. SSH connections also bypass network-layer SafeClaw policies because commands executed on the remote host are not intercepted by your local SafeClaw instance. An agent that runs ssh prod-server 'rm -rf /app' executes the destructive command on the remote machine where SafeClaw is not enforcing policy. SSH key access compounds the risk: if the agent reads ~/.ssh/id_rsa, it can authenticate to any server that trusts that key.

The Exact SafeClaw Policy to Gate SSH

Add these rules to .safeclaw/policy.yaml:

rules:
  # Block SSH commands
  - id: deny-ssh
    action: shell.exec
    match:
      command: "ssh *"
    effect: deny
    audit: true
    message: "SSH connections are blocked for AI agents."

- id: deny-scp
    action: shell.exec
    match:
      command: "scp *"
    effect: deny
    audit: true
    message: "SCP file transfers are blocked."

- id: deny-sftp
    action: shell.exec
    match:
      command: "sftp *"
    effect: deny
    audit: true
    message: "SFTP connections are blocked."

# Block SSH key generation
  - id: deny-ssh-keygen
    action: shell.exec
    match:
      command: "ssh-keygen*"
    effect: deny
    audit: true
    message: "SSH key generation is denied for AI agents."

- id: deny-ssh-copy-id
    action: shell.exec
    match:
      command: "ssh-copy-id*"
    effect: deny
    audit: true
    message: "SSH key distribution is denied."

# Protect SSH key files from reading
  - id: deny-read-ssh-keys
    action: file.read
    match:
      path: "/.ssh/id_"
    effect: deny
    audit: true
    message: "Reading SSH private keys is denied."

- id: deny-read-ssh-config
    action: file.read
    match:
      path: "*/.ssh/config"
    effect: deny
    audit: true
    message: "Reading SSH config is denied."

# Block SSH port connections at network level
  - id: deny-ssh-port
    action: network.request
    match:
      destination: "*:22"
    effect: deny
    audit: true
    message: "Outbound SSH port 22 connections are blocked."

This policy blocks SSH at four levels: the shell command, the key file system, key generation tools, and the network port. Even if an agent finds a way to invoke an SSH client that is not named ssh, the port-level block catches it.

What Happens When the Agent Tries

When an agent attempts ssh deploy@prod-server:

1. SafeClaw intercepts the shell.exec action.
2. The deny-ssh rule matches ssh *.
3. The command is blocked. No TCP connection to port 22.
4. Audit entry:

{
  "timestamp": "2026-02-13T14:05:29Z",
  "action": "shell.exec",
  "command": "ssh deploy@prod-server",
  "effect": "deny",
  "rule": "deny-ssh",
  "agent": "deploy-agent-03",
  "hash": "l1n7q4...chain"
}

If the agent attempts to read ~/.ssh/id_rsa to exfiltrate the key, the deny-read-ssh-keys rule catches the file.read action separately, producing its own audit entry.

How to Allow SSH to Specific Hosts with Approval

For deployment agents that need to reach a controlled set of servers:

rules:
  - id: deny-read-ssh-keys
    action: file.read
    match:
      path: "/.ssh/id_"
    effect: deny
    audit: true
    message: "Reading SSH keys is denied. Use agent-specific keys."

- id: approve-ssh-staging
    action: shell.exec
    match:
      command: "ssh staging-server"
    effect: approval
    audit: true
    approvers:
      - role: devops-engineer
    timeout: 120
    message: "SSH to staging requires DevOps approval."

- id: deny-ssh-all
    action: shell.exec
    match:
      command: "ssh *"
    effect: deny
    audit: true
    message: "SSH is only allowed to staging-server with approval."

Even when SSH is approved for specific hosts, SSH key file reads remain hard-denied. The agent should use a dedicated agent-specific key provisioned through a secure mechanism, not the user's personal keys.

Verification

npx @authensor/safeclaw simulate --action 'shell.exec' --command 'ssh root@production'
Expected: deny, rule: deny-ssh-all

npx @authensor/safeclaw simulate --action 'file.read' --path '/home/user/.ssh/id_rsa'
Expected: deny, rule: deny-read-ssh-keys

Related Pages

• Prevent AI Agent SSH Key Access
• Credential File Read Threat
• How to Gate File Uploads from AI Agents
• How to Gate Outbound Network Requests from AI Agents
• Multi-Agent Lateral Movement Threat