# Install ssh-mitm with Homebrew, Nix

SSH server for security audits and malware analysis. Version 5.0.1 via Homebrew; verified 2026-04-21.

## Install

```sh
sudo av install brew:ssh-mitm
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install ssh-mitm
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#ssh-mitm
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ss/ssh-mitm/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:ssh-mitm
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/ssh-mitm>
- **Version:** 5.0.1
- **Source summary:** SSH server for security audits and malware analysis
- **Homepage:** <https://docs.ssh-mitm.at>
- **Repository:** <https://github.com/ssh-mitm/ssh-mitm>
- **Upstream docs:** <https://docs.ssh-mitm.at/>
- **License:** GPL-3.0-only
- **Source archive:** <https://files.pythonhosted.org/packages/f0/4e/c804d08c336bcff29fd665fdc3ff9d3698d529b1d75462b89bc53527862a/ssh_mitm-5.0.1.tar.gz>
- **Last updated:** 2026-04-21T12:10:04-07:00
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- ssh-mitm (cli)
- ssh-mitm-askpass (cli)
- ssh-mitm (alias)
- ssh-mitm-askpass (alias)

## Dependencies

- cryptography
- libsodium
- libyaml
- python@3.14

## Build dependencies

- pkgconf
- rust

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 5.0.1
- Package-manager updated: 2026-04-21
- Local data: ok
- Upstream repository: https://docs.ssh-mitm.at
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

SSH-MITM is an interactive SSH interception tool for authorized security audits, penetration testing, training labs, and malware-analysis environments. Its package-manager relevance comes from making a specialized man-in-the-middle SSH audit workflow installable as a normal CLI rather than as a one-off lab script.

### Project history

The project presents itself as an active security research tool rather than a general-purpose SSH server. Its documentation says it was originally developed to study SSH client behavior and authentication weaknesses, especially the ambiguity around FIDO2 hardware-token confirmations in man-in-the-middle scenarios.

### Adoption history

The official README advertises multiple distribution channels, including AppImage, Flatpak, Snap, pip, and direct installation from GitHub. Homebrew and Nix packaging in the input show that it also entered package-manager catalogs used by security engineers who want reproducible CLI installs.

### How it is used

Typical use places SSH-MITM between a client and a target SSH server, then runs commands such as `ssh-mitm server --remote-host <target-host>` and has a test client connect through the interception port. The tool can capture authentication, mirror live sessions, inspect or alter SFTP/SCP transfers, intercept port forwarding, and run audit plugins.

### Why package nerds care

Package nerds care because SSH-MITM turns SSH protocol research into an installable command with extras such as tutorials, plugins, AppImage and desktop packaging, and documented CVE-driven audit workflows. It sits at the edge of package-manager culture where offensive security labs, training images, and repeatable toolchains meet.

### Timeline

- 2021: SSH-MITM research documented trivial-authentication CVEs affecting multiple SSH clients.
- 2022: The project documented follow-up CVEs related to the same SSH authentication research area.
- 2025: The changelog documents expansion into tutorials, plugin browsing, MOSH and PowerShell remoting interception, persistent host keys, and Terrapin detection improvements.

### Related projects

- SSH-MITM is closely related to OpenSSH, Paramiko, MOSH, SCP/SFTP clients, and SSH client vulnerability research. It is complementary to scanners and audit tools because it observes and manipulates live SSH sessions rather than only checking static configuration.

### Sources

- <https://docs.ssh-mitm.at/audit_guide/trivialauth.html>
- <https://docs.ssh-mitm.at/vulnerabilities/findings.html>
- <https://github.com/ssh-mitm/ssh-mitm#readme>
- <https://raw.githubusercontent.com/ssh-mitm/ssh-mitm/master/CHANGELOG.md>
- source_facts.package-manager


## Security Notes

broad file, network, media, or database tool signal. escape, surveillance, or offensive capability signal.

- **Geiger risk:** red / medium
- broad file, network, media, or database tool signal
- escape, surveillance, or offensive capability signal

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** ssh-mitm
- **Version Scheme:** 0
- **Revision:** 4
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - ssh-mitm: normalized package name match | nixpkgs package indexes: pkgs/by-name/ss/ssh-mitm/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [ssh-audit](https://www.automicvault.com/pkg/brew/ssh-audit/) - Shares av.db curated category or tags: auditing, cli, security, ssh.
- [openssh](https://www.automicvault.com/pkg/brew/openssh/) - Shares av.db curated category or tags: cli, security, ssh.
- [skm](https://www.automicvault.com/pkg/brew/skm/) - Shares av.db curated category or tags: cli, security, ssh.
- [ssh-copy-id](https://www.automicvault.com/pkg/brew/ssh-copy-id/) - Shares av.db curated category or tags: cli, security, ssh.
- [ssh-vault](https://www.automicvault.com/pkg/brew/ssh-vault/) - Shares av.db curated category or tags: cli, security, ssh.
- [sshguard](https://www.automicvault.com/pkg/brew/sshguard/) - Shares av.db curated category or tags: cli, security, ssh.
- [sshtrix](https://www.automicvault.com/pkg/brew/sshtrix/) - Shares av.db curated category or tags: cli, security, ssh.
- [tkey-ssh-agent](https://www.automicvault.com/pkg/brew/tkey-ssh-agent/) - Shares av.db curated category or tags: cli, security, ssh.
- [prowler](https://www.automicvault.com/pkg/brew/prowler/) - Both packages touch the same language runtime or ecosystem. Shared terms: auditing, audits, cli, cryptography, libsodium.

## Combined YAML source

View the package source record on GitHub. [combined/ssh-mitm.yml](https://github.com/automic-vault/db/blob/main/combined/ssh-mitm.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
