I'm a bit puzzled with this one and could really use some help.
We have a CentOS 6 box running VSFTPD as a dropbox for our customers. Each customer gets a local user and is chrooted to their home dir. Connections are made with explicit SSL.
VSFTPD config as follows:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
check_shell=NO
So far we have added 3 users, each in the same way.
useradd -s /sbin/nologin username
passwd username
The first 2 users work perfectly. The 3rd gets a Login Incorrect
message from VSFTPD.
I've change the 3rd users password to test
just to check there wasn't a typo in the connection but get the same thing.
Message in /var/log/secure
for the 3rd user attempt is
pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=user3 rhost=127.0.0.1 user=user3
Anyone have any suggestions.
EDIT: In response to comments
The SELinux status is disabled
The output from ls -lZd
in each directory is
Working user:
drwx------ user1 user1 ? .
Non-working user:
drwxr-xr-x user2 user2 ? .
So there is an obvious difference in permissions, but the working user is less permissive?
Best Answer
PAM won’t let you authorise the user if their shell isn’t listed in
/etc/shells
.Change the user shell to a correct
nologin
:And make sure it is listed in
/etc/shells
: