The Problem
Vsftp server is newly installed and has been brought up but can’t be accessed by certain users giving the error shown below.
# service vsftpd status vsftpd (pid 5806) is running...
# ftp localhost Connected to localhost.localdomain. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (localhost:oracle): user 530 Permission denied. Login failed.
The Solution
The cause is that if the parameter userlist_enable in file /etc/vsftpd/vsftpd.conf is YES and the parameter userlist_deny default value is also YES, then the username in file /etc/vsftpd/user_list will get ‘530 Permission denied‘ error and does not even prompt for a password.
When parameter userlist_enable is enabled, vsftpd will load the usernames in file /etc/vsftpd/userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing cleartext passwords being transmitted.
Parameter userlist_deny will be examined if userlist_enable is activated. If you set this setting to NO, then users will be allowed to login when they are listed in the file /etc/vsftpd/userlist_file.
So, we can resolve this issue by setting userlist_deny to NO when userlist_enable is activated. Then put the allowed usernames in file /etc/vsftpd/user_list and put the not allowed usernames in file /etc/vsftpd/ftpusers.
You can see the explanation from manual of vsftpd.conf.
$ man vsftpd.conf
userlist_deny
This option is examined if userlist_enable is activated. If you set this setting to NO, then users will be
denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied,
the denial is issued before the user is asked for a password.
userlist_enable
If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file. If a user tries
to log in using a name in this file, they will be denied before they are asked for a password. This may be
useful in preventing cleartext passwords being transmitted. See also userlist_deny.
Default: NO
You can also see these comments in file /etc/vsftpd/user_list .
# vsftpd userlist # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied.
Allowing a VSFTP Server local user to login
1. Edit /etc/vsftpd/vsftpd.conf and set userlist_enable to YES and userlist_deny to NO.
# vi /etc/vsftpd/vsftpd.conf userlist_enable=YES userlist_deny=NO
2. Modify /etc/vsftpd/user_list, put the user (user01) which is allowed to login in this file
# cat /etc/vsftpd/user_list user01
3. Put all users not allowed to ftp in /etc/vsftpd/ftpusers.
# cat ftpusers # Users that are not allowed to login via ftp root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody
4. Restart vsftpd service.
# service vsftpd restart
5. Try ftp again with user – user01.
$ ftp localhost Connected to localhost.localdomain. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (localhost:root): user01 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
6. Also try Login by disallowed userid, for example, root.
# ftp localhost Connected to localhost.localdomain. 220 (vsFTPd 2.0.5) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (localhost:root): root 530 Permission denied. Login failed. ftp>