Self-hosted

Overview

The P0 SSH Agent is designed to enable secure, real-time access management to on-premises Linux machines. It allows the P0 platform to issue access, grant sudo privileges, and maintain audit-ready provisioning via a persistent connection back to the P0 backend.

Key functions include:

• Issuing short-lived SSH certificates or access credentials to users.

• Granting or revoking sudo (privileged) access dynamically.

• Receiving and acting on events from the P0 control plane in real time.

• Logging all actions in a tamper-evident way for audit and compliance.

Prerequisites for Installation

Before installing and registering the agent, please ensure the following prerequisites are satisfied:

• Valid P0 account: Your organization must be set up in P0 and you need the appropriate permissions.

• Linux VM environment: A Linux machine (for example Ubuntu or CentOS) ready for agent installation.

• API / key material: You will need API credentials or key material from the P0 console (or as directed by your internal on-boarding process).

Installation and Registration Process

The process consists of two major phases — installing the agent locally, then registering the machine with the P0 platform.

P0 Website / Console Registration

1. Log into the P0 platform.

2. Navigate to Integration → SSH → Self-hosted (or equivalent section for your tenant) and fill in the details.

3. After the environment is created, click Finish.

1. Navigate to P0 Management and generate an API Key.

Local Agent Installation

1. Download the appropriate binary for the agent.

2. Make the binary executable and move it to a suitable location.

3. Run the below command after installing the appropriate binary for the agent

p0-ssh-agent register --auth="<API_KEY>" --url="http://p0.app/o/{tenant-id}/integrations/self-hosted/{environment-id}/computers/register"

Technical Architecture and Runtime

The SSH Agent uses a secure WebSocket connection back to the P0 platform backend. The connection uses JWT for authentication. Once connected, the agent can receive JSON-RPC 2.0 commands to execute provisioning scripts (e.g., create user, add SSH keys, grant sudo) in real time. Link to additional technical details and configuration documentation.

Usage

Once the agent is installed and connected, developers can request and obtain access through the standard P0 workflows and integrated channels.

Typical workflow:

1. A developer initiates an access request through an approved P0 access channel — such as the web console, Slack integration, or CLI.

2. The request is validated against the organization’s policy (e.g., role, environment, justification, and approval workflow).

3. Once approved, P0 issues a short-lived SSH certificate granting access only to the specific machine(s) and duration defined by policy.

4. The developer connects via SSH using their issued certificate. No static keys or passwords are ever required.

5. The SSH Agent on the target machine validates the certificate and logs the session start event.

6. At session end or upon expiry, the certificate automatically becomes invalid, ensuring zero standing privileges.

This approach allows teams to grant fine-grained, time-bound access without maintaining long-lived credentials or manually rotating secrets.