DEV.co
Open-Source Security · ssh-mitm

ssh-mitm

SSH-MITM is a Python-based tool for intercepting and auditing SSH connections in real time. It sits between SSH clients and servers, capturing credentials, manipulating file transfers, monitoring sessions, and testing SSH client vulnerabilities—designed for authorized penetration testing and security research only.

Source: GitHub — github.com/ssh-mitm/ssh-mitm
1.5k
GitHub stars
155
Forks
Python
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryssh-mitm/ssh-mitm
Ownerssh-mitm
Primary languagePython
LicenseGPL-3.0 — OSI-approved
Stars1.5k
Forks155
Open issues6
Latest release5.0.1 (2025-01-22)
Last updated2026-06-26
Sourcehttps://github.com/ssh-mitm/ssh-mitm

What ssh-mitm is

SSH-MITM terminates both SSH client and server sides independently, forwarding traffic while logging authentication, intercepting SCP/SFTP, enabling command injection via mirror shells, and detecting SSH client vulnerabilities through key negotiation analysis. It supports MOSH, PowerShell remoting, port forwarding interception, and plugin extensibility.

Quickstart

Get the ssh-mitm source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/ssh-mitm/ssh-mitm.gitcd ssh-mitm# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Authorized penetration testing of SSH infrastructure

Deploy SSH-MITM between client and server to capture credentials, monitor sessions, inject commands, and test for known SSH client vulnerabilities in controlled, authorized environments.

SSH client vulnerability assessment and protocol research

Use as a lab tool to analyze SSH client behavior, discover authentication weaknesses, and test FIDO2 token phishing or trivial authentication attacks in isolated research settings.

File transfer and session integrity audits

Intercept and manipulate SCP/SFTP transfers, monitor PowerShell remoting sessions, and capture file contents to verify data-in-transit exposure in authorized assessments.

Implementation considerations

  • Requires network position between client and server (routing/DNS control or physical network access); transparent proxy setup requires Linux iptables or equivalent routing.
  • Latest version (5.0.1, Jan 2025) available via AppImage, pip, Flatpak, or Snap; for cutting-edge features, install directly from GitHub (pip install git+https://github.com/ssh-mitm/ssh-mitm.git).
  • Interactive tutorial accessible via `ssh-mitm tutorial` command; mirrors sessions on dynamic local ports; auditors must monitor logs and web UI simultaneously.
  • Plugin system allows custom authentication handlers, file transfer hooks, and session monitoring; requires Python development knowledge to extend.
  • Depends on Python runtime and standard SSH/cryptography libraries; no database or external services required for basic operation.

When to avoid it — and what to weigh

  • Production SSH traffic interception without explicit written authorization — Unauthorized SSH interception may be illegal. Deploy only on systems you own or have explicit written permission to test; monitor all use to remain compliant.
  • Reliance on SSH-MITM for continuous network monitoring — Designed for short-term audits and interactive investigation, not long-running traffic mirroring. For persistent monitoring, consider dedicated network analysis tools.
  • Expectation of seamless integration with existing security infrastructure — SSH-MITM is a standalone audit tool. Integration with SIEM, alerting, or authentication systems requires custom development via its plugin API.
  • Scenarios requiring passive-only, non-invasive observation — SSH-MITM is an active MITM proxy that terminates both sides. It cannot observe without becoming visible in the connection path and will affect latency and reliability.

License & commercial use

Licensed under GPL-3.0 (GNU General Public License v3.0). This is a copyleft license requiring any modifications or distributions to remain open-source under GPL-3.0.

GPL-3.0 is a copyleft license. Commercial use of SSH-MITM as-is is permitted, but: (1) distributing modified versions requires source code release under GPL-3.0; (2) linking or bundling with proprietary code requires legal review. Consult legal counsel before commercial deployment or integration. The project is open-source and not affiliated with a commercial vendor offering indemnification or support contracts.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

SSH-MITM is a penetration testing tool designed to intercept SSH traffic and credentials. Operational security considerations: (1) restrict network access to the MITM host and mirror shell ports to authorized auditors only; (2) log and audit all intercepted credentials and file transfers; (3) run in isolated lab environments unless explicitly authorized; (4) be aware that the MITM position introduces a latency/reliability risk—client and server may detect unusual delays; (5) obtained credentials and session data must be handled securely (encrypted storage, restricted access, timely deletion post-audit). No claim of cryptographic strength or vulnerability-free implementation can be made from the data; review threat model for your specific use case.

Alternatives to consider

Proxyman / mitmproxy (generic HTTPS/HTTP proxy)

General-purpose proxy for HTTP/HTTPS, not SSH-specific. Lacks SSH credential interception, file transfer manipulation, and SSH client vulnerability detection.

Teleport (gravitational) or Bastion hosts

Session logging and access control for SSH, but not MITM-based. Does not intercept credentials or manipulate file transfers; focuses on authorized access management.

OpenSSH with GSSAPI/certificate auth + syslog/auditd

Native SSH logging and audit trails. Does not enable active interception, command injection, or file transfer manipulation. Better for compliance and passive monitoring.

Software development agency

Build on ssh-mitm with DEV.co software developers

SSH-MITM is available as a free, open-source download. Start with the interactive tutorial to learn session interception, then deploy in your authorized test environment. For commercial integration or custom extensions, consult our development team.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

ssh-mitm FAQ

Is SSH-MITM legal to use?
SSH-MITM is legal for authorized security audits, penetration testing, and research on systems you own or have explicit written permission to test. Unauthorized SSH interception may be illegal in your jurisdiction. Always obtain written authorization before deployment.
Can SSH-MITM be detected by the SSH client or server?
Possibly. The MITM introduces latency and may alter key negotiation timing or cipher selection. Modern SSH clients and servers may flag unusual behavior. SSH-MITM includes client auditing to detect vulnerabilities, but it cannot guarantee invisibility.
Does SSH-MITM log to a central server or database?
No. Credentials, file transfers, and session data are logged to stdout and the web UI only. Integration with SIEM, logging platforms, or central storage requires custom plugin development or external log parsing.
Can I use SSH-MITM to audit my own infrastructure?
Yes. SSH-MITM is ideal for authorized penetration testing on systems you own or manage. Deploy it in a lab environment between a test client and your SSH servers to verify security posture.

Work with a software development agency

DEV.co helps companies turn open-source tools like ssh-mitm into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Ready to audit your SSH infrastructure?

SSH-MITM is available as a free, open-source download. Start with the interactive tutorial to learn session interception, then deploy in your authorized test environment. For commercial integration or custom extensions, consult our development team.