Home / server / Questions / 358324
Accepted
steveyang
Asked: 2012-02-10 01:40:05 +0800 CST

FTP doesn't allow /usr/sbin/nologin user

  • 772

I want to setup a ftp for couple of ftp-only users with vsftpd. I configured the FTP to enable local user access. It works fine. But once I edit the users' shell to /usr/sbin/nologin, it couldn't log into the FTP with the following error:

Response:   220 Welcome to the Scent Library's File Service.
Command:    USER marketftp
Response:   331 Please specify the password.
Command:    PASS ******
Response:   530 Login incorrect.

Here is what I have done:

  • All ftp-only user will have /srv/ftp as their home directory.The directory information is

    /srv/ftp: drwxr-xr-x 3 root slftp 4.0K 2012-02-09 17:20 ftp/

  • All the ftp-only users will be in the group slftp;

    I created the user with adduser and ended up with this /etc/passwd entry: marketftp:x:1001:1001::/srv/ftp:/usr/sbin/nologin

    And this in /etc/group: slftp:x:1001:marketftp

  • The vsftpd is configured with the following to limit the user to their own home except local users in the vsftpd.chroot_list:

    chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

Where is my problem? As the FTP could be logged in by normal local users, the connection is fine. But why couldn't the ftp-only user login?

linux ftp vsftpd users

4 Answers

  1. Best Answer

    Taken from here

    Q) Help! Local users cannot log in.

    A) There are various possible problems.

A1) By default, vsftpd disables any logins other than anonymous logins. Put
local_enable=YES in your /etc/vsftpd.conf to allow local users to log in.

A2) vsftpd tries to link with PAM. (Run "ldd vsftpd" and look for libpam to
find out whether this has happened or not). If vsftpd links with PAM, then
you will need to have a PAM file installed for the vsftpd service. There is
a sample one for RedHat systems included in the "RedHat" directory - put it
under /etc/pam.d

A3) If vsftpd didn't link with PAM, then there are various possible issues. Is
the user's shell in /etc/shells? If you have shadowed passwords, does your
system have a "shadow.h" file in the include path?

**A4) If you are not using PAM, then vsftpd will do its own check for a valid
user shell in /etc/shells. You may need to disable this if you use an invalid
shell to disable logins other than FTP logins. Put check_shell=NO in your
/etc/vsftpd.conf.**

    You are Case A4

    • 15

  2. Look at check_shell in man vsftpd.conf:

    Note! This option only has an effect for non-PAM builds of vsftpd.
If disabled, vsftpd will not check /etc/shells for a valid user
shell for local logins.

Default: YES

    You can add /usr/sbin/nologin to /etc/shells. Simple and easy solution.

    Another one is to change vsftpd.conf/PAM configuration.

    Comment out this "auth ..." line in PAM case:

    $ grep shells /etc/pam.d/vsftpd
auth    required        pam_shells.so
    • 6

  3. They have no WRITE access to their own home-folder.

    (Its RWX R-X R-X , owner root, group slftp)

    This is usually enough cause to prevent FTP from work.

    • 0

  4. I put /usr/sbin/nologin in /etc/shells and vsftpd works fine.

    • -3