When your vsftpd server keeps rejecting valid credentials with "530 Login incorrect", the root cause typically lies in PAM (Pluggable Authentication Modules) configuration. Let's dissect this specific CentOS 5.3 case where local user authentication fails despite correct credentials.
The vsftpd.conf shows standard settings:
local_enable=YES
write_enable=YES
pam_service_name=vsftpd
chroot_local_user=YES
# ... other settings ...
Yet the logs reveal PAM authentication failures:
pam_unix(vsftpd:auth): authentication failure
[pid 19242] [dwelch] FAIL LOGIN: Client "10.0.1.138"
The /etc/pam.d/vsftpd file contains potential red flags:
auth required pam_shells.so
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers
Two immediate verification steps:
# Check if user's shell is in /etc/shells
grep $(getent passwd dwelch | cut -d: -f7) /etc/shells
# Verify user isn't blocked in ftpusers
grep dwelch /etc/vsftpd/ftpusers
Solution 1: Shell Validation Bypass
For FTP-only users not needing shell access:
usermod -s /sbin/nologin dwelch
echo "/sbin/nologin" >> /etc/shells
Solution 2: PAM Configuration Adjustment
Modify /etc/pam.d/vsftpd:
#%PAM-1.0
auth sufficient pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth sufficient pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
Enable verbose PAM logging in /etc/pam.d/vsftpd:
auth debug pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers
auth debug pam_shells.so
Check SELinux context (critical for CentOS):
ls -Z /etc/vsftpd/ftpusers
restorecon -v /etc/vsftpd/ftpusers
If PAM proves problematic, consider virtual users:
# In vsftpd.conf
pam_service_name=vsftpd_virtual
guest_enable=YES
guest_username=virtual
user_config_dir=/etc/vsftpd/user_conf
Create corresponding PAM file at /etc/pam.d/vsftpd_virtual:
auth required pam_userdb.so db=/etc/vsftpd/virtual_users
account required pam_userdb.so db=/etc/vsftpd/virtual_users
When encountering the "530 Login incorrect" error in VSFTPD, we need to examine the complete authentication chain. The logs show PAM is rejecting the credentials, despite the user existing in the system. Here's the complete diagnostic approach:
# Check if user exists in system
getent passwd dwelch
# Verify user's shell is allowed (typically /bin/bash)
grep dwelch /etc/passwd
# Check if shell is listed in /etc/shells
grep "/bin/bash" /etc/shellsThe vsftpd.conf shown appears correct, but these additional checks are crucial:
# Verify SELinux status (common blocker)
sestatus
# Check for home directory permissions
ls -ld /home/dwelch
# Important vsftpd.conf additions often needed:
allow_writeable_chroot=YES
seccomp_sandbox=NO # For newer CentOS versionsThe /etc/pam.d/vsftpd file needs special attention. Try this optimized version:
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth sufficient pam_shells.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
account required pam_unix.so
session required pam_unix.so
session optional pam_keyinit.so force revokeEnable detailed debugging in /etc/vsftpd/vsftpd.conf:
debug_ssl=YES
log_ftp_protocol=YES
syslog_enable=YES
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.logEven with correct authentication, these can block access:
# Check active firewall rules
iptables -L -n
# Verify passive mode ports (if used)
pasv_min_port=40000
pasv_max_port=50000
pasv_address=your.server.ipIf PAM continues causing issues, consider virtual users:
# Create password file
touch /etc/vsftpd/virtual-users.txt
chmod 600 /etc/vsftpd/virtual-users.txt
# Generate DB file
db_load -T -t hash -f /etc/vsftpd/virtual-users.txt /etc/vsftpd/virtual-users.db
# Update PAM config to use:
auth required pam_userdb.so db=/etc/vsftpd/virtual-users
account required pam_userdb.so db=/etc/vsftpd/virtual-users