Home / server / Questions / 34678
In Process
user8269
Asked: 2009-07-02 11:54:38 +0800 CST

How to configure vsftpd to allow root logins?

  • 772

I'm on SLES 10.1, and trying to configure vsftpd to allow root logins. Does anyone know how to do this?

So far, I have this:

local_enable=YES
chroot_local_user=NO
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.users

And I've added root to /etc/vsftpd.users. When I try to log in, here's what I get:

$ ftp susebox
Connected to susebox.example.com.
220-FTP Server (user '[email protected]')
220
User (susebox.example.com:(none)): root
331-Password:
331
Password:
Connection closed by remote host.

C:\>

BTW, if you don't know the answer, please don't bother lecturing me about how I shouldn't allow root logins. I know what I'm doing, and I accept full responsibility for any ruptures in the space-time continuum that may result.

ftp security login root sles

7 Answers

  1. DISCLAIMER: Enabling root login for FTP is a Very Bad Idea for many, many reasons.

    Edit your vsftpd.conf file, and add the following line:

    userlist_deny=YES

    Edit user_list and ftpusers and comment out "root".

    • 17

  2. For those (like me) using VSFTPD on Ubuntu server in mid-2013, it appears that root is allowed to login via secure SFTP by default, no special changes necessary.

    However, if you really need plain old FTP access, all I had to do was:

    sudo nano /etc/ftpusers

    And comment out the line with root on it by placing a # at the start. Save the file, and reloading the server is not even necessary.

    BEWARE: This potentially allows the root password to be transmitted over the network, completely unencrypted, in PLAIN TEXT. It's a very bad idea unless you're working on a local virtual machine.

    • 12

  3. vi /etc/pam.d/vsftpd -> if you use vsftpd

    find

    auth blablabla sense=deny file=/etc/ftpusers

    Make it to be sense= allow or you can uncomment script above it, or modify the file:ftpusers or add another ftpusers files

    • 4

  4. for Debian 8 Jessie, you just need to edit /etc/ftpusers and comment out or delete root. nothing else needed, just restart vsftpd

    • 1

  5. Vsftpd can use pam for authentication, so I suggest you check /etc/pam.d/vsftpd. You will probably find it is pam that has been configured to prevent root from logging in.

    • 0

  6. In newer versions, you may need to change pam_service_name=vsftpd to pam_service_name=ftp near the end of your /etc/vsftpd.conf file. Otherwise, you may get a login authentication error for root (or any user) even though permissions are otherwise correct.

    • 0

  7. As 2020, after a fresh install of vsftpd, the only step required is changing /etc/ftpusers from:

    root
daemon
bin
sys
adm
...

    To

    #root
daemon
bin
sys
adm
...

    The ftpuserlist file explicitly lists users that are disallowed FTP access.

    Also,

    1. If you're using software controlled firewall(Like UFW or IPTables), make sure to open the FTP ports and also configure VSFTPD passive mode:

      pasv_enable=Yes
      pasv_max_port=10100
      pasv_min_port=1009
      pasv_address=xxx.xxx.xxx.xxx

      You should select a port range that fits your network/needs, then, afterwards allow this port range on your firewall, otherwise you'll keep getting a constant '227 Entering Passive Mode' followed by a disconnection.

    2. If you're using Amazon EC2, Google Cloud, Azure or any other solution, make sure to also allow those ports on the Security Groups/Firewall Rules on the console.

    • 0