Ask HN: How do you safely give LLMs SSH/DB access?
I have been using Claude Code for DevOps style tasks like SSHing into servers, grepping logs, inspecting files, and querying databases
Overall it's been great. However, I find myself having to review every single command, a lot of which are repetitive. It still saves me a ton of time, but it's quickly becoming a bit tedious
I wish I could give the agent some more autonomy. Like giving it a list of pre-approved commands or actions that it is allowed to run over ssh
For example:
OK: ls, grep, cat, tail
Not OK: rm, mv, chmod, etc
OK: SELECT queries
Not OK: INSERT, DELETE, DROP, TRUNCATE
Has anyone successfully or satisfactorily solved this?What setups have actually worked for you, and where do you draw the line between autonomy and risk?
61 comments
[ 3.4 ms ] story [ 51.4 ms ] threadAs for queries, you might be able to achieve the same thing with usage of command-line tools if it's a `sqlite` database (I am not sure about other SQL DBs). If you want even more control than the settings.json allows, you can use the claude code SDK.
No need to mess around with regular expressions against SQL queries when you can instead give the agent a PostgreSQL user account that's only allowed read access to specific tables.
Use db permissions with read only, and possibly only a set of prepared statements. Give it a useraccount with read-only acces maybe
Among the many other reasons why you shouldn't do this, there are regularly reported cases of AIs working around these types of restrictions using the tools they have to substitute for the tools they don't.
Don't be the next headline about AI deleting your database.
I'll set it loose on a development or staging system but wouldn't let it around a production system.
Don't forget your backups. There was that time I was doing an upgrade of the library management system at my Uni and I was sitting at the sysadmin's computer and did a DROP DATABASE against the wrong db which instantly brought down the production system -- she took down a binder from the shelf behind me that had the restore procedures written down and we had it back up in 30 seconds!
You cannot. The best you can ever hope for is creating VM environments, and even then it's going to surprise you sometimes. See https://gtfobins.github.io/.
https://stackoverflow.com/questions/35830509/sshfs-linux-how...
—-
Yes, easily. This isn’t a problem when using a proxy system with built in safeguards and guardrails.
‘An interface for your agents.’
Or, simply, if you have a list of available tools the agent has access to.
Tool not present? Will never execute.
Tool present? Will reason when to use it based on tool instructions.
It’s exceptionally easy to create an agent with access to limited tools.
Lots of advice in this thread, did we forget that ithe age of AI, anything is possible?
Have you taken a look at tools such as Xano?
Your agent will only execute whichever tool you give it access to. Chain of command is factored in.
This is akin to architecting for the Rule of Two, and similarly is the concept of Domain Trusts (fancy way of saying scopes and permissions).
I recommend giving LLMs credentials that are extremely fine-grained, where the credentials can only permit the actions you want to allow and not permit the actions you don't want to allow.
Often, it may be hard or impossible to do this with your database settings alone - in that case, you can use proxies to separate the credentials the LLM/agent has from the credentials that are actually made to the DB. The proxy can then enforce what you want to allow or block.
SSH is trickier because commands are mixed in with all the other data going on in the bytestream during your session. I previously wrote another blog post about just how tricky enforcing command allowlists can be as well: https://www.joinformal.com/blog/allowlisting-some-bash-comma.... A lot of developer CLI tools were not designed to be run by potentially malicious users who can add arbitrary flags!
I also have really appreciated simonw's writing on the topic.
Disclaimer: I work at Formal, a company that helps organizations use proxies for least privilege.
Giving LLM even read access to PII is a big "no" in my book.
On PII, if you need LLMs to work on production extracted data then https://github.com/microsoft/presidio is a pretty good tool to redact PII. Still needs a bit of an audit but as a first pass does a terrific job.
For SSH, you can either use a specific account created for the AI, and limit it's access to what you want it to do, although that is a bit trickier than DB limits. You can also use something like ForceCommand in SSHD config (or command= in your authorized_keys file) to only grant access to a single command (which could be a wrapper around the commands you want it to be able to access).
This does somewhat limit the flexibility of what the AI can deal with.
My actual suggestion is to change the model you are using to control your servers. Ideally, you shouldn't be SSHing to servers to do things; you should be controlling your servers via some automation system, and you can just have your AI modify the automation system. You can then verify the changes it is making before committing the changes to your control system. Logs should be collected in a place that can be queried without giving access to the system (Claude is great at creating queries in something like ElasticSearch or OpenSearch).
Also, about those specific commands:
* `cat` can overwrite files. * `SELECT INTO` writes new data.
You want to limit access to files (eg: regular user can't read /etc/shadow or write to /bin/doas or /bin/sh) - and maybe limit some commands (/bin/su).
https://github.com/dolthub/dolt
This is nothing new; it’s the logical thing for any use case which doesn’t need to write.
If there is data to write, convert it to a script and put it through code review, make sure you have a rollback plan, then either get a human or non-AI automation tooling to run it while under supervision/monitoring.
Again nothing new, it’s a sensible way to do any one-off data modification.
adduser llm su llm
There you go. Now you can run commands quite safely. Add or remove permissions with chmod chown and chgrp as needed.
If you need more sophisticated controls try extensions like acl or selinux.
In windows use its builtin use, roles and file permission system.
Nothing new here, we have been treating programs as users for decades now.