Why vsftpd doesnt work when pam_service_name=vsftpd?

Question

I did a vsftpd setup on my home server. I got some authentication error so I searched through this forum and got a solution. This solution worked for me

As in the solution. the default setting

pam_service_name=vsftpd

doesnt work and FTP server doesnt allow me to login.

And After I changed it to

pam_service_name=ftp

It works and I can login as my local user to the FTP server. What is the reason behind this? Why the default doesnt work? I'm learning linux so your good explanation can help me a lot

score 7 · Answer 1 · answered May 02 '16 at 13:40

I faced the same authentication error with pam_service_name=vsftpd.

Following advice online, I couldn't work out why setting pam_service_name=ftp fixed the problem so I tested setting this to pam_service_name=foobar and it also fixed the issue!

Disclaimer: I too am new to linux however I believe the generally accepted advice to set pam_service_name=ftp is wrong.

pam_service_name=vsftpd selects the existing configuration file /etc/pam.d/vsftpd, however pam_service_name=ftp will look for /etc/pam.d/ftp which does not exist (at least on my system - Ubuntu 14.04.2 LTS). I suspect this is actually bypassing the PAM authentication without complaining it can't find the file.

By not using a valid PAM config, it may less secure.

Final solution

I ended up keeping pam_service_name=vsftpd and made sure the user's shell existed in the /etc/shells file. http://www.cyberciti.biz/tips/howto-linux-shell-restricting-access.html

Looking at /etc/pam.d/vsftd

# Standard behaviour for ftpd(8).
auth    required    pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.

# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth    required    pam_shells.so

My issue was that it was failing at the auth required pam_shells.so step. I had made all my FTP users use the /usr/sbin/nologin shell which didn't exist in the /etc/shells file (non-ubuntu this might be just /sbin/nologin). If you're not sure, try commenting out the auth required pam_shells.so to see if this is the cause when pam_service_name=vsftpd.

Note: Further reading suggests it is cleaner to instead create virtual users but this requires different vsftpd and PAM configuration - http://www.sigerr.org/linux/setup-vsftpd-custom-multiple-directories-users-accounts-ubuntu-step-by-step/.

Agree with the explanations and the disclaimer about the general accepted advice is wrong. For the final solution, I used usermod -s /bin/sh <username> (with /bin/sh follow the one from /etc/shells) and I'm able to login ftp already. — checksum, May 04 '16 at 13:01
@checksum Thank you! I've been googling a lot, and I believe this is THE missing step, I just needed usermod -s /bin/sh <username> — Kar.ma, Feb 22 '19 at 16:36

score 3 · Answer 2 · answered Dec 13 '17 at 19:07

In /etc/pam.d/vsftpd you can specify

auth required pam_nologin.so

so users whose login is disabled via /usr/sbin/nologin can only login to the system by the means of ftp.

Note: I read that adding nologin to /etc/shells might pose a security threat on Serverfault.

score 1 · Answer 3 · answered Feb 07 '18 at 07:56

For me the problem was that I created the PAM configuration (/etc/pam.d/vsftpd) on a Windows machine, resulting in \r\n line endings.

Once I converted the line endings to Linux style (just \n), the PAM config started to work.

I also first thought the PAM service name was wrong, and tried with pam_service_name=ftp instead of pam_service_name=vsftpd, but that did not help at all, and I agree with the assessment of Josef P. that this is not the way to go.

score 0 · Answer 4 · answered Dec 08 '22 at 00:39

A complete install of vsftpd for virtual users.

Install packages:

 apt install vsftpd libpam-pwdfile

Create the user:

useradd -N -s /bin/false -d /home/vsftpd vsftpd

Config files:

# /apt/pam.d/vsftpd
auth required pam_pwdfile.so pwdfile /etc/vsftpd/ftpd.passwd
account required pam_permit.so
/etc/vsftpd.conf
listen=YES
#listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
xferlog_enable=YES
nopriv_user=vsftpd
chroot_local_user=YES
pam_service_name=vsftpd
utf8_filesystem=YES
hide_ids=YES
user_config_dir=/etc/vsftpd_user_conf
guest_enable=YES
virtual_use_local_privs=YES
pam_service_name=vsftpd
guest_username=vsftpd
/etc/vsftpd/ftpd.passwd
user names without passwords
user name 'upload' has a password.
if real password is 'MyPassword' then hash created with command:
openssl passwd MyPassword
programming:
videos:
documents:
furnitures:
sound:
engineer:
games:
programs:
shits:
upload:X7nyBRuyuJVyg
/etc/vsftpd_user_conf/documents
local_root=/media/nas/documents
/etc/vsftpd_user_conf/engineer
local_root=/media/nas/engineer
hide_file={/personal_grades}
/etc/vsftpd_user_conf/upload
local_root=/media/nas/downloads/FTP upload
download_enable=NO
write_enable=YES
allow_writeable_chroot=YES

Why vsftpd doesnt work when pam_service_name=vsftpd?

4 Answers4

/etc/vsftpd.conf

/etc/vsftpd/ftpd.passwd

user names without passwords

user name 'upload' has a password.

if real password is 'MyPassword' then hash created with command:

openssl passwd MyPassword

/etc/vsftpd_user_conf/documents

/etc/vsftpd_user_conf/engineer

/etc/vsftpd_user_conf/upload