mod_sftp_sql
The mod_sftp
module for ProFTPD can support different storage formats for
its user- and host-based authorized keys. By default, the mod_sftp
module supports storing authorized keys in flats. This
mod_sftp_ldap
module allows for authorized SSH keys to be stored
in LDAP directories.
This module is contained in the mod_sftp_ldap.c
file for
ProFTPD 1.3.x, and is not compiled by default. Installation
instructions are discussed here.
The most current version of mod_sftp_ldap
can be found at:
http://www.castaglia.org/proftpd/
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.
mod_sftp_ldap
, copy the mod_sftp_ldap.c
file into:
proftpd-dir/contrib/after unpacking the latest proftpd-1.3.x source code. Then follow the usual steps for using third-party modules in proftpd, making sure to include the
mod_sftp
and mod_ldap
modules, which
mod_sftp_ldap
requires. For example, you might use:
./configure --with-modules=mod_ldap:mod_sftp:mod_sftp_ldap ... make make install
The mod_sftp_ldap
module works by using hooks in the
mod_ldap
module code to retrieve authorized user keys during
the LDAP queries. Thus the mod_sftp_ldap
module has no
configuration directives of its own.
To help demonstrate, see the example configuration below:
<IfModule mod_ldap.c> # mod_ldap configuration here </IfModule> <IfModule mod_sftp.c> SFTPEngine on SFTPLog /path/to/sftp.log # Host keys, for server host authentication SFTPHostKey /etc/ssh_host_dsa_key SFTPHostKey /etc/ssh_host_rsa_key <IfModule mod_sftp_ldap.c> # Instead of using a file-based key store, we tell mod_sftp to use # the LDAP-based key store provided by mod_sftp_ldap SFTPAuthorizedUserKeys ldap: </IfModule> </IfModule>
What should the schema be, for the directory entry which holds these authorized
keys? The mod_sftp_ldap
module assumes a posixAccount
user entry with an ldapPublicKey
objectclass and
sshPublicKey
attributes; multiple sshPublicKey
attributes are allowed.
Example:
dn: uid=foo,ou=users,dc=example,dc=com objectclass: top objectclass: person bjectclass: organizationalPerson objectclass: posixAccount objectclass: ldapPublicKey description: John Doe Account userPassword: {crypt}0LXhFAsrBWEEQ cn: John Doe sn: John Doe uid: foo uidNumber: 1234 gidNumber: 123 homeDirectory: /home/foo sshPublicKey: ---- BEGIN SSH2 PUBLIC KEY ---- ... sshPublicKey: ---- BEGIN SSH2 PUBLIC KEY ---- ...
Which leads to the next question: how can I transfer existing authorized SSH keys from their current flat files into the LDAP entries? First, you need to make sure that the key is in the RFC4716 format, using:
# ssh-keygen -e -f /path/to/key.pubThen simply add the output data to your LDAP entry's
sshPublicKey
attribute.