When configuring vsftpd for restricted FTP access, many admins encounter authentication failures after setting /usr/sbin/nologin as the user shell. The server rejects valid credentials with "530 Login incorrect" despite correct password entry.
vsftpd performs shell validation through PAM by default. The key configuration parameters affecting this behavior are:
# /etc/vsftpd.conf critical directives
pam_service_name=vsftpd
check_shell=YES # Default enabled
Method 1: Modify Shell Whitelist
Edit /etc/shells to include nologin:
# Add to /etc/shells
/usr/sbin/nologin
/bin/false
Method 2: Disable Shell Checking
# Add to vsftpd.conf
check_shell=NO
Method 3: Alternative Restricted Shell
Use /bin/false instead:
usermod -s /bin/false username
# Sample working configuration
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
allow_writeable_chroot=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
check_shell=NO
# Create secure FTP user setup
groupadd ftpusers
useradd -d /srv/ftp -g ftpusers -s /usr/sbin/nologin ftpuser
passwd ftpuser
chown root:root /srv/ftp
chmod 755 /srv/ftp
mkdir /srv/ftp/uploads
chown ftpuser:ftpusers /srv/ftp/uploads
Enable verbose logging to identify authentication failures:
# Add to vsftpd.conf
debug_ssl=YES
log_ftp_protocol=YES
Check authentication logs:
tail -f /var/log/auth.log
When configuring vsftpd to work with system users who have /usr/sbin/nologin as their shell, you might encounter login failures despite correct credentials. This occurs because vsftpd performs shell validation by default, preventing users with restricted shells from authenticating.
The login process fails at the PAM authentication stage when vsftpd checks the user's shell against a list of valid shells in /etc/shells. The /usr/sbin/nologin shell isn't typically included in this list.
Here's the relevant debug output showing the failure:
Response: 220 Welcome to FTP Service
Command: USER ftpuser
Response: 331 Please specify the password
Command: PASS ******
Response: 530 Login incorrectTo resolve this, we need to modify vsftpd's configuration to either:
- Add
/usr/sbin/nologinto valid shells list - Disable shell validation in vsftpd
Edit /etc/shells to include the nologin shell:
# echo "/usr/sbin/nologin" >> /etc/shellsAdd the following directive to /etc/vsftpd.conf:
# Disable shell verification
check_shell=NOHere's a working configuration for FTP-only users:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
check_shell=NOWhen creating FTP-only users:
# Create user with nologin shell and proper home directory
sudo useradd -d /srv/ftp -s /usr/sbin/nologin -G slftp ftpuser
# Set password
sudo passwd ftpuser
# Set directory permissions
sudo chown ftpuser:slftp /srv/ftp
sudo chmod 750 /srv/ftpAfter making changes, restart vsftpd and test:
sudo systemctl restart vsftpd
ftp localhostYou should now be able to authenticate successfully with users having /usr/sbin/nologin as their shell.