FTP doesn't allow /usr/sbin/nologin user

linux ftp users vsftpd

32,130

Solution 1

Taken from here

Q) Help! Local users cannot log in.

A) There are various possible problems.

A1) By default, vsftpd disables any logins other than anonymous logins. Put
local_enable=YES in your /etc/vsftpd.conf to allow local users to log in.

A2) vsftpd tries to link with PAM. (Run "ldd vsftpd" and look for libpam to
find out whether this has happened or not). If vsftpd links with PAM, then
you will need to have a PAM file installed for the vsftpd service. There is
a sample one for RedHat systems included in the "RedHat" directory - put it
under /etc/pam.d

A3) If vsftpd didn't link with PAM, then there are various possible issues. Is
the user's shell in /etc/shells? If you have shadowed passwords, does your
system have a "shadow.h" file in the include path?

**A4) If you are not using PAM, then vsftpd will do its own check for a valid
user shell in /etc/shells. You may need to disable this if you use an invalid
shell to disable logins other than FTP logins. Put check_shell=NO in your
/etc/vsftpd.conf.**

You are Case A4

Solution 2

Look at check_shell in man vsftpd.conf:

Note! This option only has an effect for non-PAM builds of vsftpd.
If disabled, vsftpd will not check /etc/shells for a valid user
shell for local logins.

Default: YES

You can add /usr/sbin/nologin to /etc/shells. Simple and easy solution.

Another one is to change vsftpd.conf/PAM configuration.

Comment out this "auth ..." line in PAM case:

$ grep shells /etc/pam.d/vsftpd
auth    required        pam_shells.so

32,130

steveyang

Updated on September 18, 2022

Comments

steveyang almost 2 years
I want to setup a ftp for couple of ftp-only users with vsftpd. I configured the FTP to enable local user access. It works fine. But once I edit the users' shell to /usr/sbin/nologin, it couldn't log into the FTP with the following error:
```
Response:   220 Welcome to the Scent Library's File Service.
Command:    USER marketftp
Response:   331 Please specify the password.
Command:    PASS ******
Response:   530 Login incorrect.
```
Here is what I have done:
- All ftp-only user will have /srv/ftp as their home directory.The directory information is
  
  /srv/ftp: drwxr-xr-x 3 root slftp 4.0K 2012-02-09 17:20 ftp/
- All the ftp-only users will be in the group slftp;
  
  I created the user with adduser and ended up with this /etc/passwd entry: marketftp:x:1001:1001::/srv/ftp:/usr/sbin/nologin
  
  And this in /etc/group: slftp:x:1001:marketftp
- The vsftpd is configured with the following to limit the user to their own home except local users in the vsftpd.chroot_list:
```
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
```
Where is my problem? As the FTP could be logged in by normal local users, the connection is fine. But why couldn't the ftp-only user login?
Tk421 over 4 years

This workaround needs to be removed as suggestion. unix.stackexchange.com/questions/155139/…
fei0x over 3 years

@steveyang, there are users on the other answer saying that your suggestion has security issues.