Using an allowed user list with VSFTPD

Question

According to the Wiki here, you can only allow certain users to log in over FTP using the following configuration in your /etc/vsftp.conf file:

userlist_enable=YES
userlist_file=/etc/vsftp.user_list
userlist_deny=NO

I've configured my system to use this configuration, and I only have one user which I'd like to expose over FTP named streams, so my /etc/vsftp.user_list looks like this:

streams

Interestingly enough, I cannot log in once I enable to user list. If I change userlist_enable to NO, then things work properly, but if I enable it, I can't log in all, it just keeps trying to reconnect. I don't get a login failed message, it just keeps trying to reconnect when using lftp.

My /etc/vsftp.conf file is available on Pastebin here and my /etc/vsftp.user_list is available here.

What am I doing wrong here? I'd just like to only make the streams user able to log in.

xferlog_file is commented in your config file. What happens when you login from command line? — quanta, Aug 08 '11 at 05:57
I uncommented it, no change. I'm only logging in from the commandline, I'm using `lftp`. — Naftuli Kay, Aug 08 '11 at 16:12

score 3 · Accepted Answer · edited Nov 06 '19 at 21:59

A cursory glance doesn't show anything wrong with your config file... the problem may lie elsewhere.

You've probably already tried this but it might be worth checking the following:

Make sure that that whatever user vsftpd is running as has the appropriate privileges on /etc/vsftp.user_list. You don't have your own non-privileged user configured with the nopriv_user directive, but the default is nobody.
Try commenting out the chroot_local_users directive to see if there is an issue with chroot-ing.
Have you restarted the vsftpd process after making changes? A common Doh! sysadmin moment for me is I make the config changes but forget to HUP to the process... (embarrassing, yes I know).
Try running vsftpd directly from the command line so any errors go to STDERR.
Have you configured your user streams to have /bin/false as a login shell? Try using /bin/nologin instead. /bin/false will prevent that user from logging in at all.
As a last resort consider using PAM and virtual users.

score 1 · Answer 2 · edited Aug 20 '14 at 06:13

1

I may be late, but i figured this out. I ran into this issue while configuring mine. Uncomment the following line in the config file:

#local_enable=YES *Change To* local_enable=YES

edited Aug 20 '14 at 06:13

Mark Henderson

68,823
31
180
259

answered Aug 20 '14 at 02:47

warren

21
1

Using an allowed user list with VSFTPD

2 Answers2