vsftpd fails pam authentication

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












10















Moving a tried-and-true vsftpd configuration onto a new server with Fedora 16, I ran into a problem. All seems to go as it should, but user authentication fails. I cannot find any entry in any log that indicates what happened.



Here is the full config file:



anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=0
data_connection_timeout=0
nopriv_user=ftpsecure
connect_from_port_20=YES
listen=YES
chroot_local_user=YES
chroot_list_enable=NO
ls_recurse_enable=YES
listen_ipv6=NO

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES


FTP challenges me for a username and password, I provide them, Login Incorrect. I have verified, this user is able to login from ssh. Something is screwed up with pam_service.



Anonymous (if changed to allowed) seems to work well.



SELinux is disabled.



Ftpsecure appears to be configured fine... I am at a complete loss!



Here are the log files I examined with no success:



/var/log/messages
/var/log/xferlog #empty
/var/log/vsftpd.log #empty
/var/log/secure


Found something in /var/log/audit/audit.log:



type=USER_AUTH msg=audit(1335632253.332:18486): user pid=19528 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="kate" exe="/usr/sbin/vsftpd" hostname=ip68-5-219-23.oc.oc.cox.net addr=68.5.219.23 terminal=ftp res=failed'



Perhaps I should look at /var/log/wtf-is-wrong.help :-)



Further info:



/etc/pam.d/vsftpd looks like this:



#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth









share|improve this question



















  • 1





    What's the PAM configuration (/etc/pam.d/vsftpd, I think)?

    – Gilles
    Apr 28 '12 at 22:32











  • Try /var/log/syslog or dmesg.

    – Hello71
    Apr 29 '12 at 2:07











  • pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth

    – KateYoak
    Apr 30 '12 at 3:23















10















Moving a tried-and-true vsftpd configuration onto a new server with Fedora 16, I ran into a problem. All seems to go as it should, but user authentication fails. I cannot find any entry in any log that indicates what happened.



Here is the full config file:



anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=0
data_connection_timeout=0
nopriv_user=ftpsecure
connect_from_port_20=YES
listen=YES
chroot_local_user=YES
chroot_list_enable=NO
ls_recurse_enable=YES
listen_ipv6=NO

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES


FTP challenges me for a username and password, I provide them, Login Incorrect. I have verified, this user is able to login from ssh. Something is screwed up with pam_service.



Anonymous (if changed to allowed) seems to work well.



SELinux is disabled.



Ftpsecure appears to be configured fine... I am at a complete loss!



Here are the log files I examined with no success:



/var/log/messages
/var/log/xferlog #empty
/var/log/vsftpd.log #empty
/var/log/secure


Found something in /var/log/audit/audit.log:



type=USER_AUTH msg=audit(1335632253.332:18486): user pid=19528 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="kate" exe="/usr/sbin/vsftpd" hostname=ip68-5-219-23.oc.oc.cox.net addr=68.5.219.23 terminal=ftp res=failed'



Perhaps I should look at /var/log/wtf-is-wrong.help :-)



Further info:



/etc/pam.d/vsftpd looks like this:



#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth









share|improve this question



















  • 1





    What's the PAM configuration (/etc/pam.d/vsftpd, I think)?

    – Gilles
    Apr 28 '12 at 22:32











  • Try /var/log/syslog or dmesg.

    – Hello71
    Apr 29 '12 at 2:07











  • pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth

    – KateYoak
    Apr 30 '12 at 3:23













10












10








10


4






Moving a tried-and-true vsftpd configuration onto a new server with Fedora 16, I ran into a problem. All seems to go as it should, but user authentication fails. I cannot find any entry in any log that indicates what happened.



Here is the full config file:



anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=0
data_connection_timeout=0
nopriv_user=ftpsecure
connect_from_port_20=YES
listen=YES
chroot_local_user=YES
chroot_list_enable=NO
ls_recurse_enable=YES
listen_ipv6=NO

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES


FTP challenges me for a username and password, I provide them, Login Incorrect. I have verified, this user is able to login from ssh. Something is screwed up with pam_service.



Anonymous (if changed to allowed) seems to work well.



SELinux is disabled.



Ftpsecure appears to be configured fine... I am at a complete loss!



Here are the log files I examined with no success:



/var/log/messages
/var/log/xferlog #empty
/var/log/vsftpd.log #empty
/var/log/secure


Found something in /var/log/audit/audit.log:



type=USER_AUTH msg=audit(1335632253.332:18486): user pid=19528 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="kate" exe="/usr/sbin/vsftpd" hostname=ip68-5-219-23.oc.oc.cox.net addr=68.5.219.23 terminal=ftp res=failed'



Perhaps I should look at /var/log/wtf-is-wrong.help :-)



Further info:



/etc/pam.d/vsftpd looks like this:



#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth









share|improve this question
















Moving a tried-and-true vsftpd configuration onto a new server with Fedora 16, I ran into a problem. All seems to go as it should, but user authentication fails. I cannot find any entry in any log that indicates what happened.



Here is the full config file:



anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=0
data_connection_timeout=0
nopriv_user=ftpsecure
connect_from_port_20=YES
listen=YES
chroot_local_user=YES
chroot_list_enable=NO
ls_recurse_enable=YES
listen_ipv6=NO

pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES


FTP challenges me for a username and password, I provide them, Login Incorrect. I have verified, this user is able to login from ssh. Something is screwed up with pam_service.



Anonymous (if changed to allowed) seems to work well.



SELinux is disabled.



Ftpsecure appears to be configured fine... I am at a complete loss!



Here are the log files I examined with no success:



/var/log/messages
/var/log/xferlog #empty
/var/log/vsftpd.log #empty
/var/log/secure


Found something in /var/log/audit/audit.log:



type=USER_AUTH msg=audit(1335632253.332:18486): user pid=19528 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="kate" exe="/usr/sbin/vsftpd" hostname=ip68-5-219-23.oc.oc.cox.net addr=68.5.219.23 terminal=ftp res=failed'



Perhaps I should look at /var/log/wtf-is-wrong.help :-)



Further info:



/etc/pam.d/vsftpd looks like this:



#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth






security ftp authentication pam






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 30 '12 at 23:38







KateYoak

















asked Apr 28 '12 at 16:53









KateYoakKateYoak

4181512




4181512







  • 1





    What's the PAM configuration (/etc/pam.d/vsftpd, I think)?

    – Gilles
    Apr 28 '12 at 22:32











  • Try /var/log/syslog or dmesg.

    – Hello71
    Apr 29 '12 at 2:07











  • pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth

    – KateYoak
    Apr 30 '12 at 3:23












  • 1





    What's the PAM configuration (/etc/pam.d/vsftpd, I think)?

    – Gilles
    Apr 28 '12 at 22:32











  • Try /var/log/syslog or dmesg.

    – Hello71
    Apr 29 '12 at 2:07











  • pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth

    – KateYoak
    Apr 30 '12 at 3:23







1




1





What's the PAM configuration (/etc/pam.d/vsftpd, I think)?

– Gilles
Apr 28 '12 at 22:32





What's the PAM configuration (/etc/pam.d/vsftpd, I think)?

– Gilles
Apr 28 '12 at 22:32













Try /var/log/syslog or dmesg.

– Hello71
Apr 29 '12 at 2:07





Try /var/log/syslog or dmesg.

– Hello71
Apr 29 '12 at 2:07













pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth

– KateYoak
Apr 30 '12 at 3:23





pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth

– KateYoak
Apr 30 '12 at 3:23










6 Answers
6






active

oldest

votes


















17














Whew. I solved the problem. It amounts to a config but within /etc/pam.d/vsftpd



Because ssh sessions succeeded while ftp sessions failed, I went to



/etc/pam.d/vsftpd, removed everything that was there and instead placed the contents of ./sshd to match the rules precisely. All worked!



By method of elimination, I found that the offending line was:



 auth required pam_shells.so


Removing it allows me to proceed.



Tuns out, "pam_shells is a PAM module that only allows access to the system if the users shell is listed in /etc/shells." I looked there and sure enough, no bash, no nothing. This is a bug in vsftpd configuration in my opinion as nowhere in the documentation does it have you editing /etc/shells. Thus default installation and instructions do not work as stated.



I'll go find where I can submit the bug now.






share|improve this answer























  • /etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.

    – tylerl
    Apr 24 '13 at 21:30












  • God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...

    – mveroone
    Jun 1 '16 at 12:31











  • Thank you so much! Your comment about /etc/shells helped me to find the reason for this strange behaviour change. The FTP-User was created with Shell: /sbin/nologin and /sbin/nologin turned out to be removed from /etc/shells. So I added the lines /sbin/nologin and /usr/sbin/nologin which made auth required pam_shells.so work too.

    – Bodo Hugo Barwich
    Jan 28 at 12:51


















2














I am using ubuntu and had same issue



Solution:



add-shell /sbin/nologin
sudo usermod -s /sbin/nologin ftpme
sudo vi /etc/pam.d/vsftpd


Then comment and add lines as following



#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
#auth include password-auth
#account include password-auth
#session required pam_loginuid.so
#session include password-auth
@include common-auth
@include common-account
@include common-password
@include common-session





share|improve this answer






























    0














    As you mentioned in your own answer, the user shell should be listed in /etc/shells. You could set /sbin/nologin as user shell to forbid ssh and allow ftp without changing pam configuration:



    usermod -s /sbin/nologin restricted_ftp_user





    share|improve this answer






























      0














      If vsftpd fails with an error of




      vsftpd.service: control process exited, code=exited status=2




      Then another possibility is to check if
      pasv_addr_resolve=YES is set in the /etc/vsftpd/vsftpd.conf file. This causes the hostname of the FTP server to be resolved via DNS. If DNS won't resolve, like if you can't ping yourhostname.example.com, then you'll need to fix that DNS resolution problem or set pasv_addr_resolve=NO in the /etc/vsftpd/vsftpd.conf and it should at least let vsftpd start without the error.






      share|improve this answer
































        0














        I also ran into the same strange behaviour where a FTP-User configured with



        # finger <user>
        Login: <user> Name:
        Directory: /home/user-dir Shell: /sbin/nologin
        Never logged in.
        No mail.
        No Plan.


        on one System is able to log in and on the other not.



        In extention to the Answer of @KateYoak it turned out that the /etc/shells File was different and did not include the /sbin/nologin shell.
        which made the PAM Authentication in /etc/pam.d/vsftpd



        auth required pam_shells.so


        fail



        By just adding to the /etc/shells File the missing lines



        /sbin/nologin
        /usr/sbin/nologin


        the check in /etc/pam.d/vsftpd worked.



        So a working /etc/shells File should have:



        # cat /etc/shells
        /bin/sh
        /bin/bash
        /sbin/nologin
        /usr/bin/sh
        /usr/bin/bash
        /usr/sbin/nologin
        /bin/tcsh
        /bin/csh





        share|improve this answer






























          -2














          Back up the config file before making a change;



          sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.back


          and then edit vsftpd.conf (with vi or nano)



          nano /etc/vsftpd.conf


          Then make the following change



          pam_service_name=ftp


          Save your change and restart the ftp server (if you use nano hit CTRL+O & enter to save then CTRL+X to exit)



          sudo service vsftpd restart





          share|improve this answer






















            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f37539%2fvsftpd-fails-pam-authentication%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            6 Answers
            6






            active

            oldest

            votes








            6 Answers
            6






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            17














            Whew. I solved the problem. It amounts to a config but within /etc/pam.d/vsftpd



            Because ssh sessions succeeded while ftp sessions failed, I went to



            /etc/pam.d/vsftpd, removed everything that was there and instead placed the contents of ./sshd to match the rules precisely. All worked!



            By method of elimination, I found that the offending line was:



             auth required pam_shells.so


            Removing it allows me to proceed.



            Tuns out, "pam_shells is a PAM module that only allows access to the system if the users shell is listed in /etc/shells." I looked there and sure enough, no bash, no nothing. This is a bug in vsftpd configuration in my opinion as nowhere in the documentation does it have you editing /etc/shells. Thus default installation and instructions do not work as stated.



            I'll go find where I can submit the bug now.






            share|improve this answer























            • /etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.

              – tylerl
              Apr 24 '13 at 21:30












            • God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...

              – mveroone
              Jun 1 '16 at 12:31











            • Thank you so much! Your comment about /etc/shells helped me to find the reason for this strange behaviour change. The FTP-User was created with Shell: /sbin/nologin and /sbin/nologin turned out to be removed from /etc/shells. So I added the lines /sbin/nologin and /usr/sbin/nologin which made auth required pam_shells.so work too.

              – Bodo Hugo Barwich
              Jan 28 at 12:51















            17














            Whew. I solved the problem. It amounts to a config but within /etc/pam.d/vsftpd



            Because ssh sessions succeeded while ftp sessions failed, I went to



            /etc/pam.d/vsftpd, removed everything that was there and instead placed the contents of ./sshd to match the rules precisely. All worked!



            By method of elimination, I found that the offending line was:



             auth required pam_shells.so


            Removing it allows me to proceed.



            Tuns out, "pam_shells is a PAM module that only allows access to the system if the users shell is listed in /etc/shells." I looked there and sure enough, no bash, no nothing. This is a bug in vsftpd configuration in my opinion as nowhere in the documentation does it have you editing /etc/shells. Thus default installation and instructions do not work as stated.



            I'll go find where I can submit the bug now.






            share|improve this answer























            • /etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.

              – tylerl
              Apr 24 '13 at 21:30












            • God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...

              – mveroone
              Jun 1 '16 at 12:31











            • Thank you so much! Your comment about /etc/shells helped me to find the reason for this strange behaviour change. The FTP-User was created with Shell: /sbin/nologin and /sbin/nologin turned out to be removed from /etc/shells. So I added the lines /sbin/nologin and /usr/sbin/nologin which made auth required pam_shells.so work too.

              – Bodo Hugo Barwich
              Jan 28 at 12:51













            17












            17








            17







            Whew. I solved the problem. It amounts to a config but within /etc/pam.d/vsftpd



            Because ssh sessions succeeded while ftp sessions failed, I went to



            /etc/pam.d/vsftpd, removed everything that was there and instead placed the contents of ./sshd to match the rules precisely. All worked!



            By method of elimination, I found that the offending line was:



             auth required pam_shells.so


            Removing it allows me to proceed.



            Tuns out, "pam_shells is a PAM module that only allows access to the system if the users shell is listed in /etc/shells." I looked there and sure enough, no bash, no nothing. This is a bug in vsftpd configuration in my opinion as nowhere in the documentation does it have you editing /etc/shells. Thus default installation and instructions do not work as stated.



            I'll go find where I can submit the bug now.






            share|improve this answer













            Whew. I solved the problem. It amounts to a config but within /etc/pam.d/vsftpd



            Because ssh sessions succeeded while ftp sessions failed, I went to



            /etc/pam.d/vsftpd, removed everything that was there and instead placed the contents of ./sshd to match the rules precisely. All worked!



            By method of elimination, I found that the offending line was:



             auth required pam_shells.so


            Removing it allows me to proceed.



            Tuns out, "pam_shells is a PAM module that only allows access to the system if the users shell is listed in /etc/shells." I looked there and sure enough, no bash, no nothing. This is a bug in vsftpd configuration in my opinion as nowhere in the documentation does it have you editing /etc/shells. Thus default installation and instructions do not work as stated.



            I'll go find where I can submit the bug now.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered May 1 '12 at 6:31









            KateYoakKateYoak

            4181512




            4181512












            • /etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.

              – tylerl
              Apr 24 '13 at 21:30












            • God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...

              – mveroone
              Jun 1 '16 at 12:31











            • Thank you so much! Your comment about /etc/shells helped me to find the reason for this strange behaviour change. The FTP-User was created with Shell: /sbin/nologin and /sbin/nologin turned out to be removed from /etc/shells. So I added the lines /sbin/nologin and /usr/sbin/nologin which made auth required pam_shells.so work too.

              – Bodo Hugo Barwich
              Jan 28 at 12:51

















            • /etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.

              – tylerl
              Apr 24 '13 at 21:30












            • God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...

              – mveroone
              Jun 1 '16 at 12:31











            • Thank you so much! Your comment about /etc/shells helped me to find the reason for this strange behaviour change. The FTP-User was created with Shell: /sbin/nologin and /sbin/nologin turned out to be removed from /etc/shells. So I added the lines /sbin/nologin and /usr/sbin/nologin which made auth required pam_shells.so work too.

              – Bodo Hugo Barwich
              Jan 28 at 12:51
















            /etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.

            – tylerl
            Apr 24 '13 at 21:30






            /etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.

            – tylerl
            Apr 24 '13 at 21:30














            God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...

            – mveroone
            Jun 1 '16 at 12:31





            God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...

            – mveroone
            Jun 1 '16 at 12:31













            Thank you so much! Your comment about /etc/shells helped me to find the reason for this strange behaviour change. The FTP-User was created with Shell: /sbin/nologin and /sbin/nologin turned out to be removed from /etc/shells. So I added the lines /sbin/nologin and /usr/sbin/nologin which made auth required pam_shells.so work too.

            – Bodo Hugo Barwich
            Jan 28 at 12:51





            Thank you so much! Your comment about /etc/shells helped me to find the reason for this strange behaviour change. The FTP-User was created with Shell: /sbin/nologin and /sbin/nologin turned out to be removed from /etc/shells. So I added the lines /sbin/nologin and /usr/sbin/nologin which made auth required pam_shells.so work too.

            – Bodo Hugo Barwich
            Jan 28 at 12:51













            2














            I am using ubuntu and had same issue



            Solution:



            add-shell /sbin/nologin
            sudo usermod -s /sbin/nologin ftpme
            sudo vi /etc/pam.d/vsftpd


            Then comment and add lines as following



            #%PAM-1.0
            session optional pam_keyinit.so force revoke
            auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
            auth required pam_shells.so
            #auth include password-auth
            #account include password-auth
            #session required pam_loginuid.so
            #session include password-auth
            @include common-auth
            @include common-account
            @include common-password
            @include common-session





            share|improve this answer



























              2














              I am using ubuntu and had same issue



              Solution:



              add-shell /sbin/nologin
              sudo usermod -s /sbin/nologin ftpme
              sudo vi /etc/pam.d/vsftpd


              Then comment and add lines as following



              #%PAM-1.0
              session optional pam_keyinit.so force revoke
              auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
              auth required pam_shells.so
              #auth include password-auth
              #account include password-auth
              #session required pam_loginuid.so
              #session include password-auth
              @include common-auth
              @include common-account
              @include common-password
              @include common-session





              share|improve this answer

























                2












                2








                2







                I am using ubuntu and had same issue



                Solution:



                add-shell /sbin/nologin
                sudo usermod -s /sbin/nologin ftpme
                sudo vi /etc/pam.d/vsftpd


                Then comment and add lines as following



                #%PAM-1.0
                session optional pam_keyinit.so force revoke
                auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
                auth required pam_shells.so
                #auth include password-auth
                #account include password-auth
                #session required pam_loginuid.so
                #session include password-auth
                @include common-auth
                @include common-account
                @include common-password
                @include common-session





                share|improve this answer













                I am using ubuntu and had same issue



                Solution:



                add-shell /sbin/nologin
                sudo usermod -s /sbin/nologin ftpme
                sudo vi /etc/pam.d/vsftpd


                Then comment and add lines as following



                #%PAM-1.0
                session optional pam_keyinit.so force revoke
                auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
                auth required pam_shells.so
                #auth include password-auth
                #account include password-auth
                #session required pam_loginuid.so
                #session include password-auth
                @include common-auth
                @include common-account
                @include common-password
                @include common-session






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Dec 26 '14 at 16:31









                gadelkareemgadelkareem

                1214




                1214





















                    0














                    As you mentioned in your own answer, the user shell should be listed in /etc/shells. You could set /sbin/nologin as user shell to forbid ssh and allow ftp without changing pam configuration:



                    usermod -s /sbin/nologin restricted_ftp_user





                    share|improve this answer



























                      0














                      As you mentioned in your own answer, the user shell should be listed in /etc/shells. You could set /sbin/nologin as user shell to forbid ssh and allow ftp without changing pam configuration:



                      usermod -s /sbin/nologin restricted_ftp_user





                      share|improve this answer

























                        0












                        0








                        0







                        As you mentioned in your own answer, the user shell should be listed in /etc/shells. You could set /sbin/nologin as user shell to forbid ssh and allow ftp without changing pam configuration:



                        usermod -s /sbin/nologin restricted_ftp_user





                        share|improve this answer













                        As you mentioned in your own answer, the user shell should be listed in /etc/shells. You could set /sbin/nologin as user shell to forbid ssh and allow ftp without changing pam configuration:



                        usermod -s /sbin/nologin restricted_ftp_user






                        share|improve this answer












                        share|improve this answer



                        share|improve this answer










                        answered Mar 20 '13 at 6:26









                        ml43ml43

                        1




                        1





















                            0














                            If vsftpd fails with an error of




                            vsftpd.service: control process exited, code=exited status=2




                            Then another possibility is to check if
                            pasv_addr_resolve=YES is set in the /etc/vsftpd/vsftpd.conf file. This causes the hostname of the FTP server to be resolved via DNS. If DNS won't resolve, like if you can't ping yourhostname.example.com, then you'll need to fix that DNS resolution problem or set pasv_addr_resolve=NO in the /etc/vsftpd/vsftpd.conf and it should at least let vsftpd start without the error.






                            share|improve this answer





























                              0














                              If vsftpd fails with an error of




                              vsftpd.service: control process exited, code=exited status=2




                              Then another possibility is to check if
                              pasv_addr_resolve=YES is set in the /etc/vsftpd/vsftpd.conf file. This causes the hostname of the FTP server to be resolved via DNS. If DNS won't resolve, like if you can't ping yourhostname.example.com, then you'll need to fix that DNS resolution problem or set pasv_addr_resolve=NO in the /etc/vsftpd/vsftpd.conf and it should at least let vsftpd start without the error.






                              share|improve this answer



























                                0












                                0








                                0







                                If vsftpd fails with an error of




                                vsftpd.service: control process exited, code=exited status=2




                                Then another possibility is to check if
                                pasv_addr_resolve=YES is set in the /etc/vsftpd/vsftpd.conf file. This causes the hostname of the FTP server to be resolved via DNS. If DNS won't resolve, like if you can't ping yourhostname.example.com, then you'll need to fix that DNS resolution problem or set pasv_addr_resolve=NO in the /etc/vsftpd/vsftpd.conf and it should at least let vsftpd start without the error.






                                share|improve this answer















                                If vsftpd fails with an error of




                                vsftpd.service: control process exited, code=exited status=2




                                Then another possibility is to check if
                                pasv_addr_resolve=YES is set in the /etc/vsftpd/vsftpd.conf file. This causes the hostname of the FTP server to be resolved via DNS. If DNS won't resolve, like if you can't ping yourhostname.example.com, then you'll need to fix that DNS resolution problem or set pasv_addr_resolve=NO in the /etc/vsftpd/vsftpd.conf and it should at least let vsftpd start without the error.







                                share|improve this answer














                                share|improve this answer



                                share|improve this answer








                                edited Jan 11 '18 at 1:20









                                slm

                                251k67529685




                                251k67529685










                                answered Jan 10 '18 at 23:38









                                allellaallella

                                1




                                1





















                                    0














                                    I also ran into the same strange behaviour where a FTP-User configured with



                                    # finger <user>
                                    Login: <user> Name:
                                    Directory: /home/user-dir Shell: /sbin/nologin
                                    Never logged in.
                                    No mail.
                                    No Plan.


                                    on one System is able to log in and on the other not.



                                    In extention to the Answer of @KateYoak it turned out that the /etc/shells File was different and did not include the /sbin/nologin shell.
                                    which made the PAM Authentication in /etc/pam.d/vsftpd



                                    auth required pam_shells.so


                                    fail



                                    By just adding to the /etc/shells File the missing lines



                                    /sbin/nologin
                                    /usr/sbin/nologin


                                    the check in /etc/pam.d/vsftpd worked.



                                    So a working /etc/shells File should have:



                                    # cat /etc/shells
                                    /bin/sh
                                    /bin/bash
                                    /sbin/nologin
                                    /usr/bin/sh
                                    /usr/bin/bash
                                    /usr/sbin/nologin
                                    /bin/tcsh
                                    /bin/csh





                                    share|improve this answer



























                                      0














                                      I also ran into the same strange behaviour where a FTP-User configured with



                                      # finger <user>
                                      Login: <user> Name:
                                      Directory: /home/user-dir Shell: /sbin/nologin
                                      Never logged in.
                                      No mail.
                                      No Plan.


                                      on one System is able to log in and on the other not.



                                      In extention to the Answer of @KateYoak it turned out that the /etc/shells File was different and did not include the /sbin/nologin shell.
                                      which made the PAM Authentication in /etc/pam.d/vsftpd



                                      auth required pam_shells.so


                                      fail



                                      By just adding to the /etc/shells File the missing lines



                                      /sbin/nologin
                                      /usr/sbin/nologin


                                      the check in /etc/pam.d/vsftpd worked.



                                      So a working /etc/shells File should have:



                                      # cat /etc/shells
                                      /bin/sh
                                      /bin/bash
                                      /sbin/nologin
                                      /usr/bin/sh
                                      /usr/bin/bash
                                      /usr/sbin/nologin
                                      /bin/tcsh
                                      /bin/csh





                                      share|improve this answer

























                                        0












                                        0








                                        0







                                        I also ran into the same strange behaviour where a FTP-User configured with



                                        # finger <user>
                                        Login: <user> Name:
                                        Directory: /home/user-dir Shell: /sbin/nologin
                                        Never logged in.
                                        No mail.
                                        No Plan.


                                        on one System is able to log in and on the other not.



                                        In extention to the Answer of @KateYoak it turned out that the /etc/shells File was different and did not include the /sbin/nologin shell.
                                        which made the PAM Authentication in /etc/pam.d/vsftpd



                                        auth required pam_shells.so


                                        fail



                                        By just adding to the /etc/shells File the missing lines



                                        /sbin/nologin
                                        /usr/sbin/nologin


                                        the check in /etc/pam.d/vsftpd worked.



                                        So a working /etc/shells File should have:



                                        # cat /etc/shells
                                        /bin/sh
                                        /bin/bash
                                        /sbin/nologin
                                        /usr/bin/sh
                                        /usr/bin/bash
                                        /usr/sbin/nologin
                                        /bin/tcsh
                                        /bin/csh





                                        share|improve this answer













                                        I also ran into the same strange behaviour where a FTP-User configured with



                                        # finger <user>
                                        Login: <user> Name:
                                        Directory: /home/user-dir Shell: /sbin/nologin
                                        Never logged in.
                                        No mail.
                                        No Plan.


                                        on one System is able to log in and on the other not.



                                        In extention to the Answer of @KateYoak it turned out that the /etc/shells File was different and did not include the /sbin/nologin shell.
                                        which made the PAM Authentication in /etc/pam.d/vsftpd



                                        auth required pam_shells.so


                                        fail



                                        By just adding to the /etc/shells File the missing lines



                                        /sbin/nologin
                                        /usr/sbin/nologin


                                        the check in /etc/pam.d/vsftpd worked.



                                        So a working /etc/shells File should have:



                                        # cat /etc/shells
                                        /bin/sh
                                        /bin/bash
                                        /sbin/nologin
                                        /usr/bin/sh
                                        /usr/bin/bash
                                        /usr/sbin/nologin
                                        /bin/tcsh
                                        /bin/csh






                                        share|improve this answer












                                        share|improve this answer



                                        share|improve this answer










                                        answered Jan 28 at 13:20









                                        Bodo Hugo BarwichBodo Hugo Barwich

                                        915




                                        915





















                                            -2














                                            Back up the config file before making a change;



                                            sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.back


                                            and then edit vsftpd.conf (with vi or nano)



                                            nano /etc/vsftpd.conf


                                            Then make the following change



                                            pam_service_name=ftp


                                            Save your change and restart the ftp server (if you use nano hit CTRL+O & enter to save then CTRL+X to exit)



                                            sudo service vsftpd restart





                                            share|improve this answer



























                                              -2














                                              Back up the config file before making a change;



                                              sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.back


                                              and then edit vsftpd.conf (with vi or nano)



                                              nano /etc/vsftpd.conf


                                              Then make the following change



                                              pam_service_name=ftp


                                              Save your change and restart the ftp server (if you use nano hit CTRL+O & enter to save then CTRL+X to exit)



                                              sudo service vsftpd restart





                                              share|improve this answer

























                                                -2












                                                -2








                                                -2







                                                Back up the config file before making a change;



                                                sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.back


                                                and then edit vsftpd.conf (with vi or nano)



                                                nano /etc/vsftpd.conf


                                                Then make the following change



                                                pam_service_name=ftp


                                                Save your change and restart the ftp server (if you use nano hit CTRL+O & enter to save then CTRL+X to exit)



                                                sudo service vsftpd restart





                                                share|improve this answer













                                                Back up the config file before making a change;



                                                sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.back


                                                and then edit vsftpd.conf (with vi or nano)



                                                nano /etc/vsftpd.conf


                                                Then make the following change



                                                pam_service_name=ftp


                                                Save your change and restart the ftp server (if you use nano hit CTRL+O & enter to save then CTRL+X to exit)



                                                sudo service vsftpd restart






                                                share|improve this answer












                                                share|improve this answer



                                                share|improve this answer










                                                answered Mar 24 '14 at 13:20









                                                Shoaib ChikateShoaib Chikate

                                                973




                                                973



























                                                    draft saved

                                                    draft discarded
















































                                                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                                                    • Please be sure to answer the question. Provide details and share your research!

                                                    But avoid


                                                    • Asking for help, clarification, or responding to other answers.

                                                    • Making statements based on opinion; back them up with references or personal experience.

                                                    To learn more, see our tips on writing great answers.




                                                    draft saved


                                                    draft discarded














                                                    StackExchange.ready(
                                                    function ()
                                                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f37539%2fvsftpd-fails-pam-authentication%23new-answer', 'question_page');

                                                    );

                                                    Post as a guest















                                                    Required, but never shown





















































                                                    Required, but never shown














                                                    Required, but never shown












                                                    Required, but never shown







                                                    Required, but never shown

































                                                    Required, but never shown














                                                    Required, but never shown












                                                    Required, but never shown







                                                    Required, but never shown






                                                    Popular posts from this blog

                                                    How to check contact read email or not when send email to Individual?

                                                    Displaying single band from multi-band raster using QGIS

                                                    How many registers does an x86_64 CPU actually have?