> For the complete documentation index, see [llms.txt](https://docs.p0.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.p0.dev/integrations/resource-integrations/ssh/self-hosted.md).

# Self-hosted

#### Overview

The P0 SSH Agent enables secure, real-time access management to on-premises machines. It allows the P0 platform to issue access, grant sudo privileges, and keep audit-ready provisioning via a persistent connection back to the P0 backend.

{% hint style="info" %}
**Platform Support:** The P0 SSH Agent supports both Linux and Windows machines for self-hosted environments.
{% endhint %}

**Key functions include:**

* Issuing short-lived SSH certificates or access credentials to users.
* Granting or revoking sudo (privileged) access dynamically.
* Receiving and acting on events from the P0 control plane in real time.
* Logging all actions in a tamper-evident way for audit and compliance.

#### Prerequisites for installation

Before installing and registering the agent, ensure you meet the following prerequisites:

* **Valid P0 account**: Your organization must be set up in P0 and you need the appropriate permissions.
* **Linux or Windows VM environment**: A machine (for example Ubuntu, CentOS, or Windows Server) ready for agent installation.
* **API / key material**: You will need API credentials or key material from the P0 console (or as directed by your internal on-boarding process).

#### Platform-specific requirements

**Linux:**

* Ubuntu, CentOS, RHEL, or other common Linux distributions
* SSH server installed and configured

**Windows:**

* Windows Server 2016 or later, or Windows 10/11
* OpenSSH server feature enabled
* PowerShell 5.1 or later

#### Installation and registration process

The process consists of two major phases — installing the agent locally, then registering the machine with the P0 platform.

**P0 Website / Console Registration**

1. Log into the P0 platform.
2. Navigate to **Integrations → Self-hosted** and fill in the details.
3. After the environment is created, click **Finish**.

<figure><img src="/files/4ZOokaeemxbJ8NBVpEeg" alt="" width="375"><figcaption></figcaption></figure>

4. Navigate to P0 Management and generate an API Key.

**Local Agent Installation**

1. Download the appropriate binary for the agent.
2. Make the binary executable and move it to a suitable location.
3. Run the below command after installing the appropriate binary for the agent

`p0-ssh-agent register --auth="<API_KEY>" --url="`[`http://p0.app/o/{tenant-id}/integrations/self-hosted/{environment-id}/computers/register`](http://p0.app/o/%7Btenant-id%7D/integrations/self-hosted/%7Benvironment-id%7D/computers/register)`"`

#### Technical architecture and runtime

The SSH Agent uses a secure WebSocket connection back to the P0 platform backend. The connection uses JWT for authentication. Once connected, the agent can receive JSON-RPC 2.0 commands to execute provisioning scripts (for example, create user, add SSH keys, grant sudo) in real time. [Link](https://github.com/p0-security/p0-agent) to additional technical details and configuration documentation.

#### Usage

Once the agent is installed and connected, developers can request and obtain access through the standard P0 workflows and integrated channels.

**Typical workflow:**

1. A developer initiates an access request through an approved P0 access channel — such as the web console, Slack integration, or CLI.
2. The request is validated against the organization’s policy (for example, role, environment, justification, and approval workflow).
3. Once approved, P0 issues a short-lived SSH certificate granting access only to the specific machine(s) and duration defined by policy.
4. The developer connects via SSH using their issued certificate. No static keys or passwords are ever required.
5. The SSH Agent on the target machine validates the certificate and logs the session start event.
6. At session end or upon expiry, the certificate automatically becomes invalid, ensuring zero standing privileges.

This approach allows teams to grant fine-grained, time-bound access without maintaining long-lived credentials or manually rotating secrets.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.p0.dev/integrations/resource-integrations/ssh/self-hosted.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.