mod_sftp_sql
The mod_sftp module for ProFTPD can support different storage formats for
its user- and host-based authorized keys. By default, the mod_sftp
module supports storing authorized keys in flats. This
mod_sftp_ldap module allows for authorized SSH keys to be stored
in LDAP directories.
This module is contained in the mod_sftp_ldap.c file for
ProFTPD 1.3.x, and is not compiled by default. Installation
instructions are discussed here.
The most current version of mod_sftp_ldap can be found at:
http://www.castaglia.org/proftpd/
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.
mod_sftp_ldap, copy the mod_sftp_ldap.c
file into:
proftpd-dir/contrib/after unpacking the latest proftpd-1.3.x source code. Then follow the usual steps for using third-party modules in proftpd, making sure to include the
mod_sftp and mod_ldap modules, which
mod_sftp_ldap requires. For example, you might use:
./configure --with-modules=mod_ldap:mod_sftp:mod_sftp_ldap ... make make install
The mod_sftp_ldap module works by using hooks in the
mod_ldap module code to retrieve authorized user keys during
the LDAP queries. Thus the mod_sftp_ldap module has no
configuration directives of its own.
To help demonstrate, see the example configuration below:
<IfModule mod_ldap.c>
# mod_ldap configuration here
</IfModule>
<IfModule mod_sftp.c>
SFTPEngine on
SFTPLog /path/to/sftp.log
# Host keys, for server host authentication
SFTPHostKey /etc/ssh_host_dsa_key
SFTPHostKey /etc/ssh_host_rsa_key
<IfModule mod_sftp_ldap.c>
# Instead of using a file-based key store, we tell mod_sftp to use
# the LDAP-based key store provided by mod_sftp_ldap
SFTPAuthorizedUserKeys ldap:
</IfModule>
</IfModule>
What should the schema be, for the directory entry which holds these authorized
keys? The mod_sftp_ldap module assumes a posixAccount
user entry with an ldapPublicKey objectclass and
sshPublicKey attributes; multiple sshPublicKey
attributes are allowed.
Example:
dn: uid=foo,ou=users,dc=example,dc=com
objectclass: top
objectclass: person
bjectclass: organizationalPerson
objectclass: posixAccount
objectclass: ldapPublicKey
description: John Doe Account
userPassword: {crypt}0LXhFAsrBWEEQ
cn: John Doe
sn: John Doe
uid: foo
uidNumber: 1234
gidNumber: 123
homeDirectory: /home/foo
sshPublicKey: ---- BEGIN SSH2 PUBLIC KEY ---- ...
sshPublicKey: ---- BEGIN SSH2 PUBLIC KEY ---- ...
Which leads to the next question: how can I transfer existing authorized SSH keys from their current flat files into the LDAP entries? First, you need to make sure that the key is in the RFC4716 format, using:
# ssh-keygen -e -f /path/to/key.pubThen simply add the output data to your LDAP entry's
sshPublicKey
attribute.