Route SSH connections by username

I would like to identify the username in an incoming SSH connection and pass it on to a Lua script. Then from that Lua script I can decide what backend to route that connection to.

For example someone may connect using:

ssh averyniceusername@ssh-loadbalancer.mydomain.tld

HA Proxy will provide the Lua script with the username part averyniceusername and through whatever logic will decide that the backend server this connection should be directed at is Or do I need to parse out the username from within the Lua script?

Is any of what I am suggesting possible?

No, this is not possible and never will be, for multiple reasons.

a) the username is not present in the first packet from the client, which is necessary to make a routing decision. You can’t have a connection on server 1 and then, after the n-th back and forth with server 1 decide to move the SSH connection to server 2.

b) the username is encrypted

Actually I think this might help in my situation:

It’s not by username, but using a hostname, which is probably better.


Oh, never mind, it still requires the client to use SSH differently.

Yes, fundamental technical facts like this don’t change. In the blog post, the author suggests to tunnel SSH through TLS, and then use the TLS SNI value to route it.