vsftpd fails pam authentication
Clash Royale CLAN TAG#URR8PPP
Moving a tried-and-true vsftpd configuration onto a new server with Fedora 16, I ran into a problem. All seems to go as it should, but user authentication fails. I cannot find any entry in any log that indicates what happened.
Here is the full config file:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=0
data_connection_timeout=0
nopriv_user=ftpsecure
connect_from_port_20=YES
listen=YES
chroot_local_user=YES
chroot_list_enable=NO
ls_recurse_enable=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
FTP challenges me for a username and password, I provide them, Login Incorrect. I have verified, this user is able to login from ssh. Something is screwed up with pam_service
.
Anonymous (if changed to allowed) seems to work well.
SELinux is disabled.
Ftpsecure appears to be configured fine... I am at a complete loss!
Here are the log files I examined with no success:
/var/log/messages
/var/log/xferlog #empty
/var/log/vsftpd.log #empty
/var/log/secure
Found something in /var/log/audit/audit.log
:
type=USER_AUTH msg=audit(1335632253.332:18486): user pid=19528 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="kate" exe="/usr/sbin/vsftpd" hostname=ip68-5-219-23.oc.oc.cox.net addr=68.5.219.23 terminal=ftp res=failed'
Perhaps I should look at /var/log/wtf-is-wrong.help
:-)
Further info:
/etc/pam.d/vsftpd looks like this:
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
security ftp authentication pam
add a comment |
Moving a tried-and-true vsftpd configuration onto a new server with Fedora 16, I ran into a problem. All seems to go as it should, but user authentication fails. I cannot find any entry in any log that indicates what happened.
Here is the full config file:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=0
data_connection_timeout=0
nopriv_user=ftpsecure
connect_from_port_20=YES
listen=YES
chroot_local_user=YES
chroot_list_enable=NO
ls_recurse_enable=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
FTP challenges me for a username and password, I provide them, Login Incorrect. I have verified, this user is able to login from ssh. Something is screwed up with pam_service
.
Anonymous (if changed to allowed) seems to work well.
SELinux is disabled.
Ftpsecure appears to be configured fine... I am at a complete loss!
Here are the log files I examined with no success:
/var/log/messages
/var/log/xferlog #empty
/var/log/vsftpd.log #empty
/var/log/secure
Found something in /var/log/audit/audit.log
:
type=USER_AUTH msg=audit(1335632253.332:18486): user pid=19528 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="kate" exe="/usr/sbin/vsftpd" hostname=ip68-5-219-23.oc.oc.cox.net addr=68.5.219.23 terminal=ftp res=failed'
Perhaps I should look at /var/log/wtf-is-wrong.help
:-)
Further info:
/etc/pam.d/vsftpd looks like this:
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
security ftp authentication pam
1
What's the PAM configuration (/etc/pam.d/vsftpd
, I think)?
– Gilles
Apr 28 '12 at 22:32
Try/var/log/syslog
ordmesg
.
– Hello71
Apr 29 '12 at 2:07
pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth
– KateYoak
Apr 30 '12 at 3:23
add a comment |
Moving a tried-and-true vsftpd configuration onto a new server with Fedora 16, I ran into a problem. All seems to go as it should, but user authentication fails. I cannot find any entry in any log that indicates what happened.
Here is the full config file:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=0
data_connection_timeout=0
nopriv_user=ftpsecure
connect_from_port_20=YES
listen=YES
chroot_local_user=YES
chroot_list_enable=NO
ls_recurse_enable=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
FTP challenges me for a username and password, I provide them, Login Incorrect. I have verified, this user is able to login from ssh. Something is screwed up with pam_service
.
Anonymous (if changed to allowed) seems to work well.
SELinux is disabled.
Ftpsecure appears to be configured fine... I am at a complete loss!
Here are the log files I examined with no success:
/var/log/messages
/var/log/xferlog #empty
/var/log/vsftpd.log #empty
/var/log/secure
Found something in /var/log/audit/audit.log
:
type=USER_AUTH msg=audit(1335632253.332:18486): user pid=19528 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="kate" exe="/usr/sbin/vsftpd" hostname=ip68-5-219-23.oc.oc.cox.net addr=68.5.219.23 terminal=ftp res=failed'
Perhaps I should look at /var/log/wtf-is-wrong.help
:-)
Further info:
/etc/pam.d/vsftpd looks like this:
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
security ftp authentication pam
Moving a tried-and-true vsftpd configuration onto a new server with Fedora 16, I ran into a problem. All seems to go as it should, but user authentication fails. I cannot find any entry in any log that indicates what happened.
Here is the full config file:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=0
data_connection_timeout=0
nopriv_user=ftpsecure
connect_from_port_20=YES
listen=YES
chroot_local_user=YES
chroot_list_enable=NO
ls_recurse_enable=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
FTP challenges me for a username and password, I provide them, Login Incorrect. I have verified, this user is able to login from ssh. Something is screwed up with pam_service
.
Anonymous (if changed to allowed) seems to work well.
SELinux is disabled.
Ftpsecure appears to be configured fine... I am at a complete loss!
Here are the log files I examined with no success:
/var/log/messages
/var/log/xferlog #empty
/var/log/vsftpd.log #empty
/var/log/secure
Found something in /var/log/audit/audit.log
:
type=USER_AUTH msg=audit(1335632253.332:18486): user pid=19528 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="kate" exe="/usr/sbin/vsftpd" hostname=ip68-5-219-23.oc.oc.cox.net addr=68.5.219.23 terminal=ftp res=failed'
Perhaps I should look at /var/log/wtf-is-wrong.help
:-)
Further info:
/etc/pam.d/vsftpd looks like this:
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
security ftp authentication pam
security ftp authentication pam
edited Apr 30 '12 at 23:38
KateYoak
asked Apr 28 '12 at 16:53
KateYoakKateYoak
4181512
4181512
1
What's the PAM configuration (/etc/pam.d/vsftpd
, I think)?
– Gilles
Apr 28 '12 at 22:32
Try/var/log/syslog
ordmesg
.
– Hello71
Apr 29 '12 at 2:07
pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth
– KateYoak
Apr 30 '12 at 3:23
add a comment |
1
What's the PAM configuration (/etc/pam.d/vsftpd
, I think)?
– Gilles
Apr 28 '12 at 22:32
Try/var/log/syslog
ordmesg
.
– Hello71
Apr 29 '12 at 2:07
pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth
– KateYoak
Apr 30 '12 at 3:23
1
1
What's the PAM configuration (
/etc/pam.d/vsftpd
, I think)?– Gilles
Apr 28 '12 at 22:32
What's the PAM configuration (
/etc/pam.d/vsftpd
, I think)?– Gilles
Apr 28 '12 at 22:32
Try
/var/log/syslog
or dmesg
.– Hello71
Apr 29 '12 at 2:07
Try
/var/log/syslog
or dmesg
.– Hello71
Apr 29 '12 at 2:07
pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth
– KateYoak
Apr 30 '12 at 3:23
pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth
– KateYoak
Apr 30 '12 at 3:23
add a comment |
6 Answers
6
active
oldest
votes
Whew. I solved the problem. It amounts to a config but within /etc/pam.d/vsftpd
Because ssh sessions succeeded while ftp sessions failed, I went to
/etc/pam.d/vsftpd, removed everything that was there and instead placed the contents of ./sshd to match the rules precisely. All worked!
By method of elimination, I found that the offending line was:
auth required pam_shells.so
Removing it allows me to proceed.
Tuns out, "pam_shells is a PAM module that only allows access to the system if the users shell is listed in /etc/shells." I looked there and sure enough, no bash, no nothing. This is a bug in vsftpd configuration in my opinion as nowhere in the documentation does it have you editing /etc/shells. Thus default installation and instructions do not work as stated.
I'll go find where I can submit the bug now.
/etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.
– tylerl
Apr 24 '13 at 21:30
God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...
– mveroone
Jun 1 '16 at 12:31
Thank you so much! Your comment about/etc/shells
helped me to find the reason for this strange behaviour change. The FTP-User was created withShell: /sbin/nologin
and/sbin/nologin
turned out to be removed from/etc/shells
. So I added the lines/sbin/nologin
and/usr/sbin/nologin
which madeauth required pam_shells.so
work too.
– Bodo Hugo Barwich
Jan 28 at 12:51
add a comment |
I am using ubuntu and had same issue
Solution:
add-shell /sbin/nologin
sudo usermod -s /sbin/nologin ftpme
sudo vi /etc/pam.d/vsftpd
Then comment and add lines as following
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
#auth include password-auth
#account include password-auth
#session required pam_loginuid.so
#session include password-auth
@include common-auth
@include common-account
@include common-password
@include common-session
add a comment |
As you mentioned in your own answer, the user shell should be listed in /etc/shells
. You could set /sbin/nologin
as user shell to forbid ssh and allow ftp without changing pam configuration:
usermod -s /sbin/nologin restricted_ftp_user
add a comment |
If vsftpd fails with an error of
vsftpd.service: control process exited, code=exited status=2
Then another possibility is to check ifpasv_addr_resolve=YES
is set in the /etc/vsftpd/vsftpd.conf
file. This causes the hostname of the FTP server to be resolved via DNS. If DNS won't resolve, like if you can't ping yourhostname.example.com
, then you'll need to fix that DNS resolution problem or set pasv_addr_resolve=NO
in the /etc/vsftpd/vsftpd.conf
and it should at least let vsftpd start without the error.
add a comment |
I also ran into the same strange behaviour where a FTP-User configured with
# finger <user>
Login: <user> Name:
Directory: /home/user-dir Shell: /sbin/nologin
Never logged in.
No mail.
No Plan.
on one System is able to log in and on the other not.
In extention to the Answer of @KateYoak it turned out that the /etc/shells
File was different and did not include the /sbin/nologin
shell.
which made the PAM Authentication in /etc/pam.d/vsftpd
auth required pam_shells.so
fail
By just adding to the /etc/shells
File the missing lines
/sbin/nologin
/usr/sbin/nologin
the check in /etc/pam.d/vsftpd
worked.
So a working /etc/shells
File should have:
# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
/bin/tcsh
/bin/csh
add a comment |
Back up the config file before making a change;
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.back
and then edit vsftpd.conf (with vi or nano)
nano /etc/vsftpd.conf
Then make the following change
pam_service_name=ftp
Save your change and restart the ftp server (if you use nano hit CTRL+O & enter to save then CTRL+X to exit)
sudo service vsftpd restart
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f37539%2fvsftpd-fails-pam-authentication%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
Whew. I solved the problem. It amounts to a config but within /etc/pam.d/vsftpd
Because ssh sessions succeeded while ftp sessions failed, I went to
/etc/pam.d/vsftpd, removed everything that was there and instead placed the contents of ./sshd to match the rules precisely. All worked!
By method of elimination, I found that the offending line was:
auth required pam_shells.so
Removing it allows me to proceed.
Tuns out, "pam_shells is a PAM module that only allows access to the system if the users shell is listed in /etc/shells." I looked there and sure enough, no bash, no nothing. This is a bug in vsftpd configuration in my opinion as nowhere in the documentation does it have you editing /etc/shells. Thus default installation and instructions do not work as stated.
I'll go find where I can submit the bug now.
/etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.
– tylerl
Apr 24 '13 at 21:30
God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...
– mveroone
Jun 1 '16 at 12:31
Thank you so much! Your comment about/etc/shells
helped me to find the reason for this strange behaviour change. The FTP-User was created withShell: /sbin/nologin
and/sbin/nologin
turned out to be removed from/etc/shells
. So I added the lines/sbin/nologin
and/usr/sbin/nologin
which madeauth required pam_shells.so
work too.
– Bodo Hugo Barwich
Jan 28 at 12:51
add a comment |
Whew. I solved the problem. It amounts to a config but within /etc/pam.d/vsftpd
Because ssh sessions succeeded while ftp sessions failed, I went to
/etc/pam.d/vsftpd, removed everything that was there and instead placed the contents of ./sshd to match the rules precisely. All worked!
By method of elimination, I found that the offending line was:
auth required pam_shells.so
Removing it allows me to proceed.
Tuns out, "pam_shells is a PAM module that only allows access to the system if the users shell is listed in /etc/shells." I looked there and sure enough, no bash, no nothing. This is a bug in vsftpd configuration in my opinion as nowhere in the documentation does it have you editing /etc/shells. Thus default installation and instructions do not work as stated.
I'll go find where I can submit the bug now.
/etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.
– tylerl
Apr 24 '13 at 21:30
God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...
– mveroone
Jun 1 '16 at 12:31
Thank you so much! Your comment about/etc/shells
helped me to find the reason for this strange behaviour change. The FTP-User was created withShell: /sbin/nologin
and/sbin/nologin
turned out to be removed from/etc/shells
. So I added the lines/sbin/nologin
and/usr/sbin/nologin
which madeauth required pam_shells.so
work too.
– Bodo Hugo Barwich
Jan 28 at 12:51
add a comment |
Whew. I solved the problem. It amounts to a config but within /etc/pam.d/vsftpd
Because ssh sessions succeeded while ftp sessions failed, I went to
/etc/pam.d/vsftpd, removed everything that was there and instead placed the contents of ./sshd to match the rules precisely. All worked!
By method of elimination, I found that the offending line was:
auth required pam_shells.so
Removing it allows me to proceed.
Tuns out, "pam_shells is a PAM module that only allows access to the system if the users shell is listed in /etc/shells." I looked there and sure enough, no bash, no nothing. This is a bug in vsftpd configuration in my opinion as nowhere in the documentation does it have you editing /etc/shells. Thus default installation and instructions do not work as stated.
I'll go find where I can submit the bug now.
Whew. I solved the problem. It amounts to a config but within /etc/pam.d/vsftpd
Because ssh sessions succeeded while ftp sessions failed, I went to
/etc/pam.d/vsftpd, removed everything that was there and instead placed the contents of ./sshd to match the rules precisely. All worked!
By method of elimination, I found that the offending line was:
auth required pam_shells.so
Removing it allows me to proceed.
Tuns out, "pam_shells is a PAM module that only allows access to the system if the users shell is listed in /etc/shells." I looked there and sure enough, no bash, no nothing. This is a bug in vsftpd configuration in my opinion as nowhere in the documentation does it have you editing /etc/shells. Thus default installation and instructions do not work as stated.
I'll go find where I can submit the bug now.
answered May 1 '12 at 6:31
KateYoakKateYoak
4181512
4181512
/etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.
– tylerl
Apr 24 '13 at 21:30
God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...
– mveroone
Jun 1 '16 at 12:31
Thank you so much! Your comment about/etc/shells
helped me to find the reason for this strange behaviour change. The FTP-User was created withShell: /sbin/nologin
and/sbin/nologin
turned out to be removed from/etc/shells
. So I added the lines/sbin/nologin
and/usr/sbin/nologin
which madeauth required pam_shells.so
work too.
– Bodo Hugo Barwich
Jan 28 at 12:51
add a comment |
/etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.
– tylerl
Apr 24 '13 at 21:30
God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...
– mveroone
Jun 1 '16 at 12:31
Thank you so much! Your comment about/etc/shells
helped me to find the reason for this strange behaviour change. The FTP-User was created withShell: /sbin/nologin
and/sbin/nologin
turned out to be removed from/etc/shells
. So I added the lines/sbin/nologin
and/usr/sbin/nologin
which madeauth required pam_shells.so
work too.
– Bodo Hugo Barwich
Jan 28 at 12:51
/etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.
– tylerl
Apr 24 '13 at 21:30
/etc/shells is typically supposed to contain a list of acceptable shells. This is used by quite a few different subsystems and is expected to be correct. This file isn't created or maintained by vsftpd, but rather by your distro's core setup. So this isn't a vsftpd bug, it's a bug with your computer's setup.
– tylerl
Apr 24 '13 at 21:30
God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...
– mveroone
Jun 1 '16 at 12:31
God thanks ! I should've seen that user unable to log in matched those with /sbin/nologin as user shell...
– mveroone
Jun 1 '16 at 12:31
Thank you so much! Your comment about
/etc/shells
helped me to find the reason for this strange behaviour change. The FTP-User was created with Shell: /sbin/nologin
and /sbin/nologin
turned out to be removed from /etc/shells
. So I added the lines /sbin/nologin
and /usr/sbin/nologin
which made auth required pam_shells.so
work too.– Bodo Hugo Barwich
Jan 28 at 12:51
Thank you so much! Your comment about
/etc/shells
helped me to find the reason for this strange behaviour change. The FTP-User was created with Shell: /sbin/nologin
and /sbin/nologin
turned out to be removed from /etc/shells
. So I added the lines /sbin/nologin
and /usr/sbin/nologin
which made auth required pam_shells.so
work too.– Bodo Hugo Barwich
Jan 28 at 12:51
add a comment |
I am using ubuntu and had same issue
Solution:
add-shell /sbin/nologin
sudo usermod -s /sbin/nologin ftpme
sudo vi /etc/pam.d/vsftpd
Then comment and add lines as following
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
#auth include password-auth
#account include password-auth
#session required pam_loginuid.so
#session include password-auth
@include common-auth
@include common-account
@include common-password
@include common-session
add a comment |
I am using ubuntu and had same issue
Solution:
add-shell /sbin/nologin
sudo usermod -s /sbin/nologin ftpme
sudo vi /etc/pam.d/vsftpd
Then comment and add lines as following
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
#auth include password-auth
#account include password-auth
#session required pam_loginuid.so
#session include password-auth
@include common-auth
@include common-account
@include common-password
@include common-session
add a comment |
I am using ubuntu and had same issue
Solution:
add-shell /sbin/nologin
sudo usermod -s /sbin/nologin ftpme
sudo vi /etc/pam.d/vsftpd
Then comment and add lines as following
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
#auth include password-auth
#account include password-auth
#session required pam_loginuid.so
#session include password-auth
@include common-auth
@include common-account
@include common-password
@include common-session
I am using ubuntu and had same issue
Solution:
add-shell /sbin/nologin
sudo usermod -s /sbin/nologin ftpme
sudo vi /etc/pam.d/vsftpd
Then comment and add lines as following
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
#auth include password-auth
#account include password-auth
#session required pam_loginuid.so
#session include password-auth
@include common-auth
@include common-account
@include common-password
@include common-session
answered Dec 26 '14 at 16:31
gadelkareemgadelkareem
1214
1214
add a comment |
add a comment |
As you mentioned in your own answer, the user shell should be listed in /etc/shells
. You could set /sbin/nologin
as user shell to forbid ssh and allow ftp without changing pam configuration:
usermod -s /sbin/nologin restricted_ftp_user
add a comment |
As you mentioned in your own answer, the user shell should be listed in /etc/shells
. You could set /sbin/nologin
as user shell to forbid ssh and allow ftp without changing pam configuration:
usermod -s /sbin/nologin restricted_ftp_user
add a comment |
As you mentioned in your own answer, the user shell should be listed in /etc/shells
. You could set /sbin/nologin
as user shell to forbid ssh and allow ftp without changing pam configuration:
usermod -s /sbin/nologin restricted_ftp_user
As you mentioned in your own answer, the user shell should be listed in /etc/shells
. You could set /sbin/nologin
as user shell to forbid ssh and allow ftp without changing pam configuration:
usermod -s /sbin/nologin restricted_ftp_user
answered Mar 20 '13 at 6:26
ml43ml43
1
1
add a comment |
add a comment |
If vsftpd fails with an error of
vsftpd.service: control process exited, code=exited status=2
Then another possibility is to check ifpasv_addr_resolve=YES
is set in the /etc/vsftpd/vsftpd.conf
file. This causes the hostname of the FTP server to be resolved via DNS. If DNS won't resolve, like if you can't ping yourhostname.example.com
, then you'll need to fix that DNS resolution problem or set pasv_addr_resolve=NO
in the /etc/vsftpd/vsftpd.conf
and it should at least let vsftpd start without the error.
add a comment |
If vsftpd fails with an error of
vsftpd.service: control process exited, code=exited status=2
Then another possibility is to check ifpasv_addr_resolve=YES
is set in the /etc/vsftpd/vsftpd.conf
file. This causes the hostname of the FTP server to be resolved via DNS. If DNS won't resolve, like if you can't ping yourhostname.example.com
, then you'll need to fix that DNS resolution problem or set pasv_addr_resolve=NO
in the /etc/vsftpd/vsftpd.conf
and it should at least let vsftpd start without the error.
add a comment |
If vsftpd fails with an error of
vsftpd.service: control process exited, code=exited status=2
Then another possibility is to check ifpasv_addr_resolve=YES
is set in the /etc/vsftpd/vsftpd.conf
file. This causes the hostname of the FTP server to be resolved via DNS. If DNS won't resolve, like if you can't ping yourhostname.example.com
, then you'll need to fix that DNS resolution problem or set pasv_addr_resolve=NO
in the /etc/vsftpd/vsftpd.conf
and it should at least let vsftpd start without the error.
If vsftpd fails with an error of
vsftpd.service: control process exited, code=exited status=2
Then another possibility is to check ifpasv_addr_resolve=YES
is set in the /etc/vsftpd/vsftpd.conf
file. This causes the hostname of the FTP server to be resolved via DNS. If DNS won't resolve, like if you can't ping yourhostname.example.com
, then you'll need to fix that DNS resolution problem or set pasv_addr_resolve=NO
in the /etc/vsftpd/vsftpd.conf
and it should at least let vsftpd start without the error.
edited Jan 11 '18 at 1:20
slm♦
251k67529685
251k67529685
answered Jan 10 '18 at 23:38
allellaallella
1
1
add a comment |
add a comment |
I also ran into the same strange behaviour where a FTP-User configured with
# finger <user>
Login: <user> Name:
Directory: /home/user-dir Shell: /sbin/nologin
Never logged in.
No mail.
No Plan.
on one System is able to log in and on the other not.
In extention to the Answer of @KateYoak it turned out that the /etc/shells
File was different and did not include the /sbin/nologin
shell.
which made the PAM Authentication in /etc/pam.d/vsftpd
auth required pam_shells.so
fail
By just adding to the /etc/shells
File the missing lines
/sbin/nologin
/usr/sbin/nologin
the check in /etc/pam.d/vsftpd
worked.
So a working /etc/shells
File should have:
# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
/bin/tcsh
/bin/csh
add a comment |
I also ran into the same strange behaviour where a FTP-User configured with
# finger <user>
Login: <user> Name:
Directory: /home/user-dir Shell: /sbin/nologin
Never logged in.
No mail.
No Plan.
on one System is able to log in and on the other not.
In extention to the Answer of @KateYoak it turned out that the /etc/shells
File was different and did not include the /sbin/nologin
shell.
which made the PAM Authentication in /etc/pam.d/vsftpd
auth required pam_shells.so
fail
By just adding to the /etc/shells
File the missing lines
/sbin/nologin
/usr/sbin/nologin
the check in /etc/pam.d/vsftpd
worked.
So a working /etc/shells
File should have:
# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
/bin/tcsh
/bin/csh
add a comment |
I also ran into the same strange behaviour where a FTP-User configured with
# finger <user>
Login: <user> Name:
Directory: /home/user-dir Shell: /sbin/nologin
Never logged in.
No mail.
No Plan.
on one System is able to log in and on the other not.
In extention to the Answer of @KateYoak it turned out that the /etc/shells
File was different and did not include the /sbin/nologin
shell.
which made the PAM Authentication in /etc/pam.d/vsftpd
auth required pam_shells.so
fail
By just adding to the /etc/shells
File the missing lines
/sbin/nologin
/usr/sbin/nologin
the check in /etc/pam.d/vsftpd
worked.
So a working /etc/shells
File should have:
# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
/bin/tcsh
/bin/csh
I also ran into the same strange behaviour where a FTP-User configured with
# finger <user>
Login: <user> Name:
Directory: /home/user-dir Shell: /sbin/nologin
Never logged in.
No mail.
No Plan.
on one System is able to log in and on the other not.
In extention to the Answer of @KateYoak it turned out that the /etc/shells
File was different and did not include the /sbin/nologin
shell.
which made the PAM Authentication in /etc/pam.d/vsftpd
auth required pam_shells.so
fail
By just adding to the /etc/shells
File the missing lines
/sbin/nologin
/usr/sbin/nologin
the check in /etc/pam.d/vsftpd
worked.
So a working /etc/shells
File should have:
# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/usr/bin/sh
/usr/bin/bash
/usr/sbin/nologin
/bin/tcsh
/bin/csh
answered Jan 28 at 13:20
Bodo Hugo BarwichBodo Hugo Barwich
915
915
add a comment |
add a comment |
Back up the config file before making a change;
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.back
and then edit vsftpd.conf (with vi or nano)
nano /etc/vsftpd.conf
Then make the following change
pam_service_name=ftp
Save your change and restart the ftp server (if you use nano hit CTRL+O & enter to save then CTRL+X to exit)
sudo service vsftpd restart
add a comment |
Back up the config file before making a change;
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.back
and then edit vsftpd.conf (with vi or nano)
nano /etc/vsftpd.conf
Then make the following change
pam_service_name=ftp
Save your change and restart the ftp server (if you use nano hit CTRL+O & enter to save then CTRL+X to exit)
sudo service vsftpd restart
add a comment |
Back up the config file before making a change;
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.back
and then edit vsftpd.conf (with vi or nano)
nano /etc/vsftpd.conf
Then make the following change
pam_service_name=ftp
Save your change and restart the ftp server (if you use nano hit CTRL+O & enter to save then CTRL+X to exit)
sudo service vsftpd restart
Back up the config file before making a change;
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.back
and then edit vsftpd.conf (with vi or nano)
nano /etc/vsftpd.conf
Then make the following change
pam_service_name=ftp
Save your change and restart the ftp server (if you use nano hit CTRL+O & enter to save then CTRL+X to exit)
sudo service vsftpd restart
answered Mar 24 '14 at 13:20
Shoaib ChikateShoaib Chikate
973
973
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f37539%2fvsftpd-fails-pam-authentication%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
What's the PAM configuration (
/etc/pam.d/vsftpd
, I think)?– Gilles
Apr 28 '12 at 22:32
Try
/var/log/syslog
ordmesg
.– Hello71
Apr 29 '12 at 2:07
pam config:session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth
– KateYoak
Apr 30 '12 at 3:23