Ask HN: How do you safely give LLMs SSH/DB access?

6•nico•1h ago

I have been using Claude Code for DevOps style tasks like SSHing into servers, grepping logs, inspecting files, and querying databases

Overall it's been great. However, I find myself having to review every single command, a lot of which are repetitive. It still saves me a ton of time, but it's quickly becoming a bit tedious

I wish I could give the agent some more autonomy. Like giving it a list of pre-approved commands or actions that it is allowed to run over ssh

For example:

    OK: ls, grep, cat, tail
    Not OK: rm, mv, chmod, etc
    OK: SELECT queries
    Not OK: INSERT, DELETE, DROP, TRUNCATE

Has anyone successfully or satisfactorily solved this?

What setups have actually worked for you, and where do you draw the line between autonomy and risk?

Comments

stephendause•1h ago

There is an example of [dis]allowing certain bash commands here: https://code.claude.com/docs/en/settings

As for queries, you might be able to achieve the same thing with usage of command-line tools if it's a `sqlite` database (I am not sure about other SQL DBs). If you want even more control than the settings.json allows, you can use the claude code SDK.

nico•1h ago

Great pointers, thank you

How would you go about allowing something like `ssh user@server "ls somefolder/"` but disallowing `ssh user@server "rm"`?

Similarly, allow `ssh user@server "mysql \"SELECT...\""`, but block `ssh user@server "mysql \"[UPDATE|DELETE|DROP|TRUNCATE|INSERT]...\""` ?

Ideally in a way that it can provide more autonomy for the agent, so that I need to review fewer commands

stephendause•54m ago

I don't know; I've never done something like that. If no one else answers, you can always ask Claude itself (or another chatbot). This kind of thing seems tricky to get right, so be careful!

nico•31m ago

Yup definitely tricky. Unfortunately Claude sucks at answering questions about itself, I've usually had better luck with ChatGPT. Will see how it goes

onmai-xyz•8m ago

If you control the ssh server it can be configured to only allow what you want. Certainly tedious but I would consider it worth while as it stands with agents being well, agentic.

christophilus•1h ago

I run my agents in containers, and only put stuff in those containers that I'm happy obliterating.

nico•59m ago

Do you use Claude Code? Do you say "Yes, and don't ask again" for all the commands, since you don't mind breaking things inside the container?

NitpickLawyer•4m ago

> claude --dangerously-skip-permissions

But do not run this on prod servers! You cannot prompt your way into the agent not doing something stupid from time to time.

Also blacklisting commands doesn't work (they'll try different approaches until something works).

Terr_•1h ago

I imagine your best bet are exactly the same tools for a potentially-malicious human user: Separate user account, file permissions, database user permissions, etc.

nico•28m ago

This is probably the safest thing to do, also the most time consuming

It would be nice to just be able to solve it through instructions to the agent, instead of having to apply all the other things for each application/server/database that I'd like to give it access to

wrs•18m ago

That would be nice. If only the agent had the ability to limit itself to your instructions.

c22•5m ago

I frequently hand out excessive permissions to random volunteers from off the street and I handle it this way, with careful instructions. It usually works out fine, but the only way this is possible is with obsessive attention to backup and recovery procedures and some tolerance for occasional downtime.

simonw•26m ago

For database stuff most databases like PostgreSQL have robust permissions mechanisms built in.

No need to mess around with regular expressions against SQL queries when you can instead give the agent a PostgreSQL user account that's only allowed read access to specific tables.

nico•12m ago

You are right, and that's great for queries

How do you provide db access? For example, to access an RDS db, you have to connect from within the AWS/EC2 environment, which means either providing the agent ssh access to a server, from which it can run psql, or creating a tunnel

Additionally, with multiple apps/dbs, that means having to do the setup multiple times. It would be nice to be able to only configure the agent instead of all the apps/dbs/servers

tracker1•4m ago

You can't provide an existing ssh tunnel with a port for said database yourself, locally?

browningstreet•3m ago

"aws iam service accounts"

gunalx•20m ago

Never gibe perms to begin with. Anything the chatbot has access to fuckup it eventually will. So the problem is inherently flawed, but.

Use db permissions with read only, and possibly only a set of prepared statements. Give it a useraccount with read-only acces maybe

JoshTriplett•18m ago

Don't.

Among the many other reasons why you shouldn't do this, there are regularly reported cases of AIs working around these types of restrictions using the tools they have to substitute for the tools they don't.

Don't be the next headline about AI deleting your database.

nico•10m ago

> Don't

Do you mean "Don't give it more autonomy", or "Don't use it to access servers/dbs" ?

I definitely want to be cautious, but I don't think I can go back to doing everything manually either

PaulHoule•10m ago

See https://simonwillison.net/2025/Feb/3/a-computer-can-never-be...

I'll set it loose on a development or staging system but wouldn't let it around a production system.

Don't forget your backups. There was that time I was doing an upgrade of the library management system at my Uni and I was sitting at the sysadmin's computer and did a DROP DATABASE against the wrong db which instantly brought down the production system -- she took down a binder from the shelf behind me that had the restore procedures written down and we had it back up in 30 seconds!

dormento•7m ago

> Safely

You cannot. The best you can ever hope for is creating VM environments, and even then it's going to surprise you sometimes. See https://gtfobins.github.io/.

Curzel•5m ago

For db just give it credentials of a readonly user, for instructions you can do this. You can give setup a list of approved tools and bash commands https://www.anthropic.com/engineering/claude-code-best-pract...

vindex10•4m ago

for files, possibly sshfs / fuse with readonly mount

https://stackoverflow.com/questions/35830509/sshfs-linux-how...

There are many coding agents, but this one is mine

Universal Commerce Protocol (UCP) Blog

Show HN: Mailbak – Email backup tool with a cyberpunk TUI built in Bun

Read this Steam news post before it vanishes

How AI Destroys Institutions

Ask HN: Make cemeteries in cities less offensive by using virtual headstones?

GTFOBins

Show HN: VoiceMeetAI – a Chrome extension for real-time interview Q&A

Tell HN: Properly using dishwasher reduced friction with my wife

VSketch: Draw, Create, and Play with Code

OpenAI is partnering with Cerebras to add 750MW of compute in 10B USD deal

The AI data center deals that no one can verify

NHAM Update Opus 12 (Fedi MTV Edition)

Show HN: Experimentplatform, A/B testing images with LLMs

Meta, a Trustworthy Company, Leaks Surge of Demand for RayBan Glasses

GOG's new owner can't stand Windows either: 'It's such poor-quality software '

Apple iPhone Exports From India Cross $23B In 2025

Ministral 3 – pruning via Cascade Distillation

Mobile AI-Driven IDE: Ready for Agents and Your Expertise

Microsoft keeps reinstalling Copilot, so I found a way to rip it out for good

Miniatur Wunderland

Reversibility

Simulating Cislunar Space: Why Experts Want to Construct a Digital Moon

Show HN: FormTS – Define forms with TypeScript instead of drag-and-drop

Wind power slashed 4.6B euros off electricity bills in Spain last year

Trump administration halts immigrant visa processing from 75 countries

Use Agents or Be Left Behind? A Personal Guide to Automating Your Own Work

Claude Cowork Exfiltrates Files

Epic sues multiple health data providers, alleging fraudlent sale of health data

The End of the Orbital Index