ProFTPD module mod_sftp_ldap


The mod_sftp module for ProFTPD can support different storage formats for its user- and host-based authorized keys. By default, the mod_sftp module supports storing authorized keys in flats. This mod_sftp_ldap module allows for authorized SSH keys to be stored in LDAP directories.

This module is contained in the mod_sftp_ldap.c file for ProFTPD 1.3.x, and is not compiled by default. Installation instructions are discussed here.

The most current version of mod_sftp_ldap can be found at: 

  http://www.castaglia.org/proftpd/

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

Author

Please contact TJ Saunders <tj at castaglia.org> with any questions, concerns, or suggestions regarding this module.

Installation

To install mod_sftp_ldap, go to the third-party module area in the proftpd source code and unpack the mod_sftp_ldap source tarball: 
  $ cd proftpd-dir/contrib/
  $ tar zxvf /path/to/mod_sftp_ldap-version.tar.gz
after unpacking the latest proftpd-1.3.x source code. Then follow the usual steps for using third-party modules in proftpd, making sure to include the mod_sftp and mod_ldap modules, which mod_sftp_ldap requires. For including mod_sftp_ldap as a staticly linked module: 
  $ ./configure --with-modules=mod_ldap:mod_sftp:mod_sftp_ldap ...
  $ make
  $ make install


Usage

The mod_sftp_ldap module works by using hooks in the mod_ldap module code to retrieve authorized user keys during the LDAP queries. Thus the mod_sftp_ldap module has no configuration directives of its own.

To help demonstrate, see the example configuration below: 

  <IfModule mod_ldap.c>
    # mod_ldap configuration here
  </IfModule>

  <IfModule mod_sftp.c>
    SFTPEngine on
    SFTPLog /path/to/sftp.log

    # Host keys, for server host authentication
    SFTPHostKey /etc/ssh_host_dsa_key
    SFTPHostKey /etc/ssh_host_rsa_key

    <IfModule mod_sftp_ldap.c> 
      # Instead of using a file-based key store, we tell mod_sftp to use
      # the LDAP-based key store provided by mod_sftp_ldap
      SFTPAuthorizedUserKeys ldap:
    </IfModule>
  </IfModule>

What should the schema be, for the directory entry which holds these authorized keys? The mod_sftp_ldap module assumes a posixAccount user entry with an ldapPublicKey objectclass and sshPublicKey attributes; multiple sshPublicKey attributes are allowed.

Example LDIF: 

  dn: uid=foo,ou=users,dc=example,dc=com
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: posixAccount
  objectClass: ldapPublicKey
  description: John Doe Account
  userPassword: {crypt}0LXhFAsrBWEEQ
  cn: John Doe
  sn: John Doe
  uid: foo
  uidNumber: 1234
  gidNumber: 123
  homeDirectory: /home/foo
  sshPublicKey: ---- BEGIN SSH2 PUBLIC KEY ---- ...
  sshPublicKey: ---- BEGIN SSH2 PUBLIC KEY ---- ...

Which leads to the next question: how can I transfer existing authorized SSH keys from their current flat files into the LDAP entries? First, you need to make sure that the key is in the RFC4716 format, using: 

  $ ssh-keygen -e -f /path/to/key.pub
Then simply add the output data to your LDAP entry's sshPublicKey attribute.

© Copyright 2010-2020 TJ Saunders
All Rights Reserved