Why vsftpd doesnt work when pam_service_name=vsftpd?

server ftp vsftpd 14.04

Solution 1:

I faced the same authentication error with pam_service_name=vsftpd.

Following advice online, I couldn't work out why setting pam_service_name=ftp fixed the problem so I tested setting this to pam_service_name=foobar and it also fixed the issue!

Disclaimer: I too am new to linux however I believe the generally accepted advice to set pam_service_name=ftp is wrong.

pam_service_name=vsftpd selects the existing configuration file /etc/pam.d/vsftpd, however pam_service_name=ftp will look for /etc/pam.d/ftp which does not exist (at least on my system - Ubuntu 14.04.2 LTS). I suspect this is actually bypassing the PAM authentication without complaining it can't find the file.

By not using a valid PAM config, it may less secure.

Final solution

I ended up keeping pam_service_name=vsftpd and made sure the user's shell existed in the /etc/shells file. http://www.cyberciti.biz/tips/howto-linux-shell-restricting-access.html

Looking at /etc/pam.d/vsftd

# Standard behaviour for ftpd(8).
auth    required    pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.

# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth    required    pam_shells.so

My issue was that it was failing at the auth required pam_shells.so step. I had made all my FTP users use the /usr/sbin/nologin shell which didn't exist in the /etc/shells file (non-ubuntu this might be just /sbin/nologin). If you're not sure, try commenting out the auth required pam_shells.so to see if this is the cause when pam_service_name=vsftpd.

Note: Further reading suggests it is cleaner to instead create virtual users but this requires different vsftpd and PAM configuration - http://www.sigerr.org/linux/setup-vsftpd-custom-multiple-directories-users-accounts-ubuntu-step-by-step/.

Solution 2:

In /etc/pam.d/vsftpd you can specify

auth required pam_nologin.so

so users whose login is disabled via /usr/sbin/nologin can only login to the system by the means of ftp.

Note: I read that adding nologin to /etc/shells might pose a security threat on Serverfault.

Solution 3:

For me the problem was that I created the PAM configuration (/etc/pam.d/vsftpd) on a Windows machine, resulting in \r\n line endings.

Once I converted the line endings to Linux style (just \n), the PAM config started to work.

I also first thought the PAM service name was wrong, and tried with pam_service_name=ftp instead of pam_service_name=vsftpd, but that did not help at all, and I agree with the assessment of Josef P. that this is not the way to go.

Related

Which files are sourced when using su -c?
Will a Virus or Malware inside a User Account or Guest Account Affect the Entire Ubuntu System?
Installing symbolic package in octave
How can I install Sonos on Ubuntu
Office 2016 Installation Using PlayOnLinux
Remove language dialects from Thunderbird
Change the size of a ping
Is there a ONVIF Device Manager alternative for Ubuntu 16.04LTS
Xenial (16.04) cannot find package libboost-all-dev
How to install intel graphics driver for using vulkan on Ubuntu 16.04
What is the default theme name in Ubuntu 16.04?
How to use win explorer to create folders for Bash on Ubuntu on Windows?