ProFTPD module mod_sftp_sql

The mod_sftp module for ProFTPD can support different storage formats for its user- and host-based authorized keys. By default, the mod_sftp module supports storing authorized keys in flats. This mod_sftp_ldap module allows for authorized SSH keys to be stored in LDAP directories.

This module is contained in the mod_sftp_ldap.c file for ProFTPD 1.3.x, and is not compiled by default. Installation instructions are discussed here.

The most current version of mod_sftp_ldap can be found at:

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( This product includes cryptographic software written by Eric Young (


Please contact TJ Saunders <tj at> with any questions, concerns, or suggestions regarding this module.


To install mod_sftp_ldap, copy the mod_sftp_ldap.c file into:
after unpacking the latest proftpd-1.3.x source code. Then follow the usual steps for using third-party modules in proftpd, making sure to include the mod_sftp and mod_ldap modules, which mod_sftp_ldap requires. For example, you might use:
  ./configure --with-modules=mod_ldap:mod_sftp:mod_sftp_ldap ...
  make install


The mod_sftp_ldap module works by using hooks in the mod_ldap module code to retrieve authorized user keys during the LDAP queries. Thus the mod_sftp_ldap module has no configuration directives of its own.

To help demonstrate, see the example configuration below:

  <IfModule mod_ldap.c>
    # mod_ldap configuration here

  <IfModule mod_sftp.c>
    SFTPEngine on
    SFTPLog /path/to/sftp.log

    # Host keys, for server host authentication
    SFTPHostKey /etc/ssh_host_dsa_key
    SFTPHostKey /etc/ssh_host_rsa_key

    <IfModule mod_sftp_ldap.c> 
      # Instead of using a file-based key store, we tell mod_sftp to use
      # the LDAP-based key store provided by mod_sftp_ldap
      SFTPAuthorizedUserKeys ldap:

What should the schema be, for the directory entry which holds these authorized keys? The mod_sftp_ldap module assumes a posixAccount user entry with an ldapPublicKey objectclass and sshPublicKey attributes; multiple sshPublicKey attributes are allowed.


  dn: uid=foo,ou=users,dc=example,dc=com
  objectclass: top
  objectclass: person
  bjectclass: organizationalPerson
  objectclass: posixAccount
  objectclass: ldapPublicKey
  description: John Doe Account
  userPassword: {crypt}0LXhFAsrBWEEQ
  cn: John Doe
  sn: John Doe
  uid: foo
  uidNumber: 1234
  gidNumber: 123
  homeDirectory: /home/foo
  sshPublicKey: ---- BEGIN SSH2 PUBLIC KEY ---- ...
  sshPublicKey: ---- BEGIN SSH2 PUBLIC KEY ---- ...

Which leads to the next question: how can I transfer existing authorized SSH keys from their current flat files into the LDAP entries? First, you need to make sure that the key is in the RFC4716 format, using:

  # ssh-keygen -e -f /path/to/
Then simply add the output data to your LDAP entry's sshPublicKey attribute.

Author: $Author: castaglia $
Last Updated: $Date: 2010/02/04 19:26:53 $

© Copyright 2010 TJ Saunders
All Rights Reserved