You are not logged in.

#1 2023-05-03 14:12:02

m00nshine
Member
Registered: 2023-05-03
Posts: 2

[SOLVED] OpenSSH HA setup

Hi,

I am trying to setup a OpenSSH server that provides a critical piece of infrastructure and the SSH service itself needs to available at all times. Or rather the address (IP/Hostname) always needs to be available and provide ssh access.
For appliances like firewalls I would just use their build in HA features, but I am not aware of any simple HA configuration option in OpenSSH.

Is there any way to setup such a HA cluster with OpenSSH servers?

What I intend to build is something like:

sshserver_zone1 - IP: 10.0.0.1
sshserver_zone2 - IP: 10.0.0.2
sshserver_zone3 - IP: 10.0.0.3

providing:

sshserver_frontend - virtual IP: 10.0.0.10 - actualhostname.domain


The user who connects to actualhostname.domain should always be able to connect even if two of the three servers above are gone.

Last edited by m00nshine (2023-05-04 22:03:26)

Offline

#2 2023-05-03 14:31:13

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,722

Re: [SOLVED] OpenSSH HA setup

And you're using Arch Linux for this? Seems like an odd choice.

Offline

#3 2023-05-03 16:09:46

3beb6e7c46a615a
Member
Registered: 2021-03-27
Posts: 165

Re: [SOLVED] OpenSSH HA setup

Superficially you'll need to place a TCP load balancer (eg haproxy) in front of these services, configure it accordingly and make sure your SSH servers have the same host key (or use an SSH CA for the host keys, but tooling around this is a bit poor currently).

Practically, you'll need mutliple proxies, eg via DNS round robin balancing, to ensure you're not just moving the single point, and you'll find good settings for SSH load balancing, wrt to timeouts, monitoring, etc.  This very much depends on what you'd like to protect against, eg just the entire server going down or specific SSH error conditions (eg SSH still runs but login's partially broken because the backing LDAP server goes down, or because an update broke the pam configuration).

Without details it's hard to say more.

But I also think that Arch for any part in this would be a weird choice...

Last edited by 3beb6e7c46a615a (2023-05-03 16:10:54)

Offline

#4 2023-05-04 22:02:37

m00nshine
Member
Registered: 2023-05-03
Posts: 2

Re: [SOLVED] OpenSSH HA setup

Eventually I found an answer to my own question (hopefully):

HAProxy would be able to provide load balancing but on its own still present a single point of failure.
In theory HAProxy could be combined with a failover service like keepalived but for my purposes that would be overkill. (DNS round robin would be a slow but simple alternative)

The right answer is probably to use just keepalived for a failover cluster, which could also cover basic loadbalancing if needed.

For anyone with a similar issue, here are some useful instructions for a simple failover I came across:

https://access.redhat.com/documentation … tion/index
https://docs.oracle.com/en/operating-sy … sb_nr.html
https://tecadmin.net/setup-ip-failover- … eepalived/
http://www.formilux.org/archives/haproxy/1003/3259.html

Thanks to @lunaryorn for putting me on the right path here.

Offline

Board footer

Powered by FluxBB