Hello,

I have created multiple users that do not have the ability to login to the bash shell but should be able to login to ftp sessions.

I have an older RHEL 7.2 server that is set up identical to our new RHEL 8.7 server, the users and home directories and permissions etc are all identical. (as far as I am aware)

I have even created a new additional testuser just to confirm this is not working for any of the created users. I am not sure if there is some new security implementation on RHEL 8.7 that is preventing this or what. Any suggestions would be greatly appreciated.


Example of CLI I/O below:

[root@hostname~]# useradd -d /file/path/Testuser -s /dev/null testuser
[root@hostname~]# passwd testuser
Changing password for user testuser.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.


Attempt to test ftp session logon ability:

[root@hostname ~]# ftp hostname
Connected to hostname (xxx.xx.xxx.xx).
220 (vsFTPd 3.0.3)
Name (hostname:root): testuser
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.

The password is 100% for certain being entered correctly but also was flagged as "BAD PASSWORD" but allowed me to complete the commands and they seemed to be accepted and applied.

/etc/passwd entry for testuser

testuser:x:1009:1009::/file/path/Testuser:/dev/null

So what other logs have you checked?

Not many, any specific logs you would suggest checking?

Thank you.

If you don't know where ftp and authentication logs are then just look at everything in /var/log

was not able to find anything relating to vsftpd in /var/log

journalctl | grep vsftpd

Mar 04 12:09:33 vsftpd[229080]: pam_winbind(vsftpd:auth): getting password (0x00000380)
Mar 04 12:09:33 vsftpd[229080]: pam_winbind(vsftpd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: The specified account does not exist.
Mar 04 12:09:33 vsftpd[229080]: pam_winbind(vsftpd:auth): getting password (0x00000390)
Mar 04 12:09:33 vsftpd[229080]: pam_winbind(vsftpd:auth): pam_get_item returned a password
Mar 04 12:09:33 vsftpd[229080]: pam_winbind(vsftpd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: The specified account does not exist.

Makes no sense to me how the error can be that the account does not exist when it most definitely does.

Proftpd can use passwd maps that are not the system passwd file (similar to Apache's basic auth). You might want to look at that, or anonymous login. I'm guessing the config won't just let any user you make up login willy-nilly, so probably you'll have to change the config file as well. It's like that in proftpd (which is what I'm familiar with).

Have you examined the VSFTP documentation on creating and authenticating virtual accounts? you do not need an OS account at all, if they are only getting FTP access.

PS: you can do this for SFTP access in the SSHD configuration if you want to support SFTP directly, but that DOES require a real OS account.

I have done both, but a decade or more ago and I have not had coffee yet today....

1 members found this post helpful.

A login shell /dev/null might prevent from all system access.
Change it to /sbin/nologin

Some ftpd versions also require /sbin/nologin in /etc/shells

Looks like it looks for AD user, not a local one. What pam_service_name is configured for vsftpd?

1 members found this post helpful.

Thanks for all the responses guys.

I figured it out with the assistance of ChatGPT, using the Journalctl | grep vsftpd

ChatGPT identified based on the log output that the vsftpd service was using Pluggable Authentication Modules (PAM) and winbind to authenticate.

Checking the PAM config file for vsftpd located at: nano /etc/pam.d/vsftpd

commented out these two lines

auth required pam_unix.so
account required pam_unix.so

systemctl restart vsftpd

Boom like magic it works.