SUMMARY: high available ssh

From: Dombrowski, Neil <>
Date: Mon Nov 29 2004 - 13:34:41 EST
Thanks to everyone for all the answers I received. I haven't tested any yet,
but the program "balance" sounds intriguing. Many people suggested
clustering software, or hardware load balancing devices. Here are a sampling
of some of the other answers...

Maybe the following idea could be helpful:

Instead of using distinct target ip addresses, you could use dns names.
There exists a software named lbnamed: load balancing nameserver. But it's
no high available. There's a little timeout if one machine fails.
I have not done this before, but i "think" I see the solution.

FIrstly, a third box implies another single point of failure if it is
delivering a unique service ...

My take would be a follows:

Setup two systems.

Each has a normal IP (IP_R1 on host A and IP_R2 on host B)and a virtual IP
(IP_VA and IP_VB on Host A and B respectively)

IP_VA and IP_VB are not allocated at boot, but controlled from cluster (
FSTHA / Veritas Cluster / SUN Cluster / scripted  - FSTHA probaly easiest,
Veritas & Sun $$ and overkill ? )

Generate keys on first host.

Copy to second host

Now set cluster so that IP_VA fails to B and IP_VB fails to A in the event
of failures.

Setting up the users is now simply:

Half connect to IP_VA and the other half to IP_VB.

This can be manually assigned, or via DNS round robin.

Neil Dombrowski
I don't think there is anything specific to SSH on this, but if HA for
SSH is needed, am I am assuming that HA is needed for the
system/applications on the box then you might look at Veritas HA for
UNIX to suit your needs.  We use it for lots of applications,  we
don't specifically HA ssh, but as the failover happens ssh works.  I
would not though that we have nearly 1000 installs of ssh from
and I can't ever remember the SSH server specifically being a problem.
 It is usually related to network outages or some other system related
issue.  Thus Veritas HA and proper monitoring of it to trip a

> I am setting up an ssh server for clients to log into, but in the case of
> failure I want a second ssh server to take over without the client
> the difference. I guess ideally they would share the load, and if one box
> dropped any new requests would go to the box that was still standing (I'm
> willing to lose sessions that are already established on the box that goes
> down). Has anyone done this? I seem to be having a difficult time finding
> anything at all on clustering/load balancing ssh servers in this fashion,
> least without bringing in a third box.
