p0 ssh

Node ≥ 20

node -v

Older Node versions break npm‑installed CLI binaries.

P0 CLI in PATH

p0 --version

Verifies global install succeeded.

AWS CLI v2

aws --version

ssm start-session lives here.

Session Manager plugin

session-manager-plugin --version

Required for SSM tunnel on AWS.

gcloud SDK

gcloud --version

Provides start-iap-tunnel.

gcloud login

gcloud auth list

IAP tunnel fails without a valid OAuth token.

P0 identity file

macOS & Linux: cat ~/.p0/identity.json Windows:

%USERPROFILE%.p0\identity.json

Confirms p0 login completed & org slug recorded.

node: bad option: --require ts-node/register

Node < 20.

Upgrade Node: the CLI is compiled for ESM features included in v20+.

Cannot find module '@p0security/cli'

CLI not in PATH or NPM global root not in PATH.

Re‑install with npm i -g @p0security/cli and restart terminal so PATH reloads.

The 'org' argument is required during p0 login

Forgot org slug env var.

Run p0 login <ORG_ID> or export P0_ORG.

This organization is not configured for SSH access via the P0 CLI

Admins haven’t installed the SSH integration.

Ask platform team to complete P0 onboarding for SSH providers.

Server did not return a request id

Backend 503 or mis‑shaped request.

Retry. If persistent, grab CLI logs (--debug) and open support ticket.

--approved exits immediately

Access not pre‑approved.

Remove the flag or get an approver to pre‑approve via Slack.

AWS

AccessDeniedException OR is not authorized to perform ssm:StartSession

IAM policy not yet visible to SSM agent.

Wait – CLI retries 8 min by default. Use --debug to watch attempts.

AWS

Unable to locate credentials… inside ProxyCommand

Local AWS CLI lacks auth (SSO or keys).

aws sso login --profile <name>or set AWS_PROFILE.

GCP

Please log in to the gcloud CLI to SSH

OAuth token expired.

gcloud auth login again (token TTL 12 h).

GCP

Tunnel hangs at 127.0.0.1:0

Firewall denies egress websockets.

Check corporate proxy, allow iap.googleapis.com:443.

ssh: connect to host … port 22: Connection refused (GCP)

SSH daemon disabled or moved.

Start sshd on VM or revert to port 22. (Azure note: port override unsupported.)

Too many authentication failures

Agent offered multiple keys before the P0 temp key.

CLI already adds IdentitiesOnly=yes; override your local ssh_config or kill ssh-agent keys.

Port forward fails with bind: Address already in use

Local port occupied.

Change local part of -L or -R binding.

Windows PowerShell: arguments split incorrectly

Quotes not escaped.

Wrap the entire SSH tail in double quotes and escape inner quotes (see examples).

sudo: no tty present

Your remote command used sudo inside non‑interactive mode.

Transpose with sudo -n <cmd> or request interactive shell.

No sudo despite --sudo

Approver rejected elevated scope.

Check Slack thread, re‑submit with business justification.

scp: protocol error: : Broken pipe

ProxyCommand died (SSM/IAP restarted).

Large transfers: add -- -o ServerAliveInterval=60 flag to keep tunnel alive.