AIPermission：为 AI 代理提供受控 SSH 访问的安全审批系统

AIPermission: Controlled SSH Access for AI Agents

AIPermission is an open-source tool that provides controlled SSH access for AI agents through a local approval workflow. Each command requires user approval, and private keys are always retained on the local machine to ensure a balance between security and control.

It addresses key security challenges in AI-assisted运维 tasks, combining AI efficiency with human oversight to prevent unauthorized or risky operations.

Background & Motivation

With the rapid development of large language models and AI agents, more developers are letting AI operate servers directly. However, this brings security risks:

• Excessive permissions: Full SSH access may lead to severe consequences if AI hallucinates or misinterprets tasks.
• Key security: Providing private keys to AI services risks credential leakage.
• Uncontrollable operations: AI may execute dangerous actions without user knowledge.
• Audit difficulties: AI operations are hard to track and audit.

AIPermission was created to solve these issues via a local approval workflow, enabling safe AI SSH access under human supervision.

Core Design Principles

• Minimal permission: AI agents get no automatic access; each command needs user approval.
• Private key localization: Keys stay on local machines, never transmitted to AI services.
• Human-AI collaboration: AI generates commands, humans approve/deny.

System Architecture & Workflow

Components

1. Local proxy service (manages SSH connections/keys)
2. Approval interface (command review)
3. AI interface layer (communicates with AI without touching keys)
4. Execution engine (runs approved commands)
5. Audit log (records all operations)

Workflow

1. User describes task to AI.
2. AI generates SSH command.
3. Command is presented to user with details (target host, impact).
4. User approves/denies/modifies.
5. Local proxy executes command with local key.
6. Result returns to AI; process repeats if needed.
7. All steps are logged.

Security Features

Private Key Protection

• Zero transmission: Keys never leave local machines.
• Memory isolation: Keys exist only in secure memory areas.
• HSM/YubiKey support: Optional hardware key storage.
• Encrypted storage: Keys are encrypted locally, requiring password/biometrics to unlock.

Command Review

• Dangerous command detection: Flags risky commands (e.g., rm -rf, dd).
• Impact analysis: Assesses command effects on paths/services/data.
• Sandbox preview: Previews execution in safe environments.
• Batch control: Allows bulk approval for non-sensitive commands.

Audit & Traceability

• Full logs: Records request/approval/execution times and results.
• Session recording: Optional screen capture of interactions.
• Compliance reports: Generates SOC2/ISO27001-aligned reports.

Use Cases

• Dev environment: Deploy test environments, view logs, migrate databases.
• Production运维: Database backups, config changes, patch deployment.
• Team collaboration: Standardize approval processes, train new members, reduce errors.

Comparisons

vs Traditional SSH

Feature	Traditional SSH	AIPermission
Command generation	Manual	AI-assisted
Security checks	None	Automatic danger detection
Audit logs	Server-dependent	Local full records
Mistake prevention	None	Approval mechanism

vs Fully Automated Tools

Feature	Fully Automated	AIPermission
Execution speed	Fast	Medium (approval needed)
Security	Dependent on AI accuracy	Human confirmation
Use case	Low-risk operations	Complex/high-risk tasks

vs Bastion Hosts

Feature	Bastion Host	AIPermission
Deployment	Dedicated server	Local
Cost	Infrastructure required	Open-source free
AI integration	Rare	Native
Key location	Server-stored	Local

Deployment

Installation

• Package managers (Homebrew, apt, yum)
• Precompiled binaries
• Source code compilation
• Docker container

Initial Config

1. Import/generate SSH keys.
2. Add server info (host, IP, port, username).
3. Set approval policies.
4. Connect to AI services (OpenAI, Anthropic, local models).
5. Configure audit log storage.

AI Integrations

• CLI tools (Claude CLI, OpenAI CLI)
• IDE plugins (VS Code, JetBrains)
• Chat interfaces (web/desktop apps)
• API calls for custom workflows

Best Practices

Security

• Use hardware keys/password managers for keys.
• Rotate keys regularly.
• Create restricted user accounts for AI operations.
• Use VPN/jump servers for production access.
• Monitor audit logs for anomalies.

Usage

• Start with dev environments before production.
• Adjust approval policies for balance of security/efficiency.
• Train teams on approval processes.
• Have emergency plans to bypass AIPermission if needed.

Future Directions

Feature Enhancements

• Smart approval suggestions based on history.
• Batch operation optimization.
• Collaborative approval for sensitive tasks.
• Common command templates.

Ecosystem Integration

• CI/CD (Jenkins, GitLab CI)
• Monitoring (Prometheus, Grafana)
• Knowledge bases (Confluence, Notion)
• Ticket systems (Jira, ServiceNow)

Security Upgrades

• Behavior analysis for anomaly detection.
• Real-time threat intelligence integration.
• Zero-knowledge proof for command validation.

Conclusion

AIPermission provides a practical solution for AI-era运维 security. It combines AI efficiency with human control, ensures private key safety, and meets compliance requirements. For teams wanting AI-assisted运维 without security risks, AIPermission is a recommended open-source tool.