vsftpd may not honor userlist_enabled due to a conflicting PAM configuration file for ftp and how to fix it by either modifying or removing the PAM configuration file or changing the pam_service_name option in vsftpd.conf.
If you are using vsftpd (Very Secure FTP Daemon) as your FTP server, you may encounter a problem where the userlist_enabled option in the vsftpd.conf file does not work as expected. This option is supposed to allow or deny access to users listed in the user_list file, depending on the value of userlist_deny. However, some users have reported that vsftpd ignores this option and allows or denies access to all users regardless of the user_list file.
In this article, we will explain why this problem occurs and how to fix it. We will also answer some frequently asked questions related to vsftpd and userlist_enabled.
Table of Contents
- Why vsftpd Does Not Honor userlist_enabled
- How to Fix vsftpd Not Honoring userlist_enabled
- Solution 1: Modify or Remove the PAM Configuration File for ftp
- Solution 2: Change the pam_service_name Option in vsftpd.conf
- Frequently Asked Questions
- Question: What is the difference between user_list and ftpusers?
- Question: How can I allow or deny access to specific IP addresses or domains?
- Question: How can I enable SSL/TLS encryption for vsftpd?
- Conclusion
Why vsftpd Does Not Honor userlist_enabled
The most common reason why vsftpd does not honor userlist_enabled is that there is another option in the vsftpd.conf file that overrides it. This option is called pam_service_name, and it specifies the name of the PAM (Pluggable Authentication Modules) service that vsftpd will use for authentication.
PAM is a system that allows applications to use different authentication methods, such as passwords, tokens, biometrics, etc. PAM has its own configuration files that define the rules and modules for each service. By default, vsftpd uses the pam_service_name of ftp, which means it will look for the PAM configuration file named /etc/pam.d/ftp.
The problem is that some Linux distributions, such as Ubuntu and Debian, have a PAM configuration file for ftp that includes a line like this:
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
This line tells PAM to deny access to any user listed in the /etc/ftpusers file, regardless of the userlist_enabled option in vsftpd.conf. This means that even if you set userlist_enabled=YES and userlist_deny=NO in vsftpd.conf, and list some users in the user_list file, those users will still be denied access by PAM if they are also listed in the /etc/ftpusers file.
Similarly, if you set userlist_enabled=YES and userlist_deny=YES in vsftpd.conf, and list some users in the user_list file, those users will still be allowed access by PAM if they are not listed in the /etc/ftpusers file.
Therefore, to make vsftpd honor userlist_enabled, you need to either modify or remove the PAM configuration file for ftp, or change the pam_service_name option in vsftpd.conf to use a different PAM service that does not conflict with userlist_enabled.
How to Fix vsftpd Not Honoring userlist_enabled
There are two ways to fix vsftpd not honoring userlist_enabled:
Solution 1: Modify or Remove the PAM Configuration File for ftp
The first option is to modify or remove the PAM configuration file for ftp (/etc/pam.d/ftp) so that it does not interfere with userlist_enabled. You can do this by either commenting out or deleting the line that contains pam_listfile.so, or by changing the sense parameter from deny to allow.
For example, you can comment out the line by adding a # at the beginning:
#auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
Or you can delete the line entirely:
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
Or you can change the sense parameter from deny to allow:
auth required pam_listfile.so item=user sense=allow file=/etc/ftpusers onerr=succeed
After modifying or removing the line, you need to restart vsftpd for the changes to take effect:
sudo service vsftpd restart
Alternatively, you can also rename or delete the entire PAM configuration file for ftp (/etc/pam.d/ftp), but this may affect other applications that use the same PAM service.
Solution 2: Change the pam_service_name Option in vsftpd.conf
The second option is to change the pam_service_name option in vsftpd.conf to use a different PAM service that does not conflict with userlist_enabled. You can do this by editing the vsftpd.conf file and changing the value of pam_service_name from ftp to something else, such as vsftpd.
For example, you can change this line:
pam_service_name=ftp
To this line:
pam_service_name=vsftpd
After changing the pam_service_name option, you need to create a new PAM configuration file for vsftpd (/etc/pam.d/vsftpd) and copy the contents of the original PAM configuration file for ftp (/etc/pam.d/ftp) into it, except for the line that contains pam_listfile.so.
For example, you can do this by running these commands:
sudo cp /etc/pam.d/ftp /etc/pam.d/vsftpd
sudo sed -i '/pam_listfile.so/d' /etc/pam.d/vsftpd
Then, you need to restart vsftpd for the changes to take effect:
sudo service vsftpd restart
Frequently Asked Questions
Here are some common questions and answers related to vsftpd and userlist_enabled.
Question: What is the difference between user_list and ftpusers?
Answer: user_list and ftpusers are two different files that can be used to control access to vsftpd. user_list is used by the userlist_enabled option in vsftpd.conf, while ftpusers is used by the pam_listfile.so module in the PAM configuration file for ftp (/etc/pam.d/ftp).
user_list allows you to specify which users are allowed or denied access based on the value of userlist_deny in vsftpd.conf. ftpusers allows you to specify which users are always denied access regardless of userlist_enabled or userlist_deny.
Question: How can I allow or deny access to specific IP addresses or domains?
Answer: You can use the tcp_wrappers option in vsftpd.conf to enable TCP wrappers support, which allows you to use the /etc/hosts.allow and /etc/hosts.deny files to control access based on IP addresses or domains.
For example, if you want to allow access only from the IP address 192.168.1.100 and the domain example.com, you can add these lines to /etc/hosts.allow:
vsftpd: 192.168.1.100
vsftpd: .example.com
And if you want to deny access from all other IP addresses and domains, you can add this line to /etc/hosts.deny:
vsftpd: ALL
Question: How can I enable SSL/TLS encryption for vsftpd?
Answer: You can enable SSL/TLS encryption for vsftpd by using the ssl_enable option in vsftpd.conf and providing the necessary certificates and keys.
For example, you can enable SSL/TLS encryption by adding these lines to vsftpd.conf:
ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.key
You can generate a self-signed certificate and key by running this command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.pem
Or you can obtain a certificate and key from a trusted certificate authority (CA) such as Let’s Encrypt.
You can also configure other SSL/TLS options in vsftpd.conf, such as ssl_tlsv1, ssl_sslv2, ssl_sslv3, ssl_ciphers, require_ssl_reuse, allow_anon_ssl, force_local_data_ssl, and force_local_logins_ssl.
Conclusion
We hope this article has helped you understand why vsftpd may not honor userlist_enabled and how to fix it. If you have any questions or feedback, please leave a comment below. And if you found this article useful, please share it with your friends and colleagues who may benefit from it. Thanks for reading!