After installation and start of the VSFTPD service, two files are created in the /etc/vsftpd/ directory: “ftpusers” and “user_list“. These files are used to allow or deny login attempts. The behavior of ftpusers and user_list is configurable in the vsftpd.conf file using the userlist_deny option. The vsftpd.conf file also offers the option of adding a third, custom file.
userlist_file=/etc/vsftpd/[custom_file]
The chart below specifies file behavior when using the custom file in addition to the two default files.
| userlist_deny setting | ftpusers | user_list | custom_file |
|---|---|---|---|
| userlist_deny=NO | deny before password | deny before password | allow |
| userlist_deny=YES | deny after password | allow | deny before password |
| no setting | deny after password | deny after password | deny before password |
Lets see few examples of allowing and denying users to login to VSFTP server.
Allow all of the VSFTP Server local users to login
1. Make sure the file /etc/vsftpd/ftpusers and /etc/vsftpd/user_list do not include the users whom you want to allow VSFTP login access.
# cat /etc/vsftpd/ftpusers # Users that are not allowed to login via ftp bin daemon adm lp sync shutdown halt mail news uucp operator games nobody
# cat /etc/vsftpd/user_list # vsftpd userlist # If userlist_deny=NO, only allow users in this file # If userlist_deny=YES (default), never allow users in this file, and # do not even prompt for a password. # Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers # for users that are denied. bin daemon adm lp sync shutdown halt mail news uucp operator games nobody
2. Verify that you do not have the userlist_deny parameter included in the file /etc/vsftpd/vsftpd.conf.
# cat /etc/vsftpd/vsftpd.conf | grep userlist_deny #
3. Verify with one of the users.
# ftp vsftpsrv Connected to vsftpsrv (192.168.149.10). 220 (vsFTPd 2.0.5) Name (192.168.149.10:root): user 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Allow few of the VSFTP Server local users to login
1. Under default VSFTP configuration, edit/add “userlist_deny” argument to “NO” in VSFTP Server configuration file /etc/vsftpd/vsftpd.conf:
# vi /etc/vsftpd/vsftpd.conf userlist_deny=NO
2. Edit file /etc/vsftpd/user_list to include allowed local users, add users user01 and user02.
# cat /etc/vsftpd/user_list user01 user02
3. Restart vsftpd service on VSFTP Server.
[root@vsftpsrv ~]# service vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ]
4. Test with one of allowed users, user user01 is able to login.
# ftp vsftpsrv Connected to vsftpsrv (192.168.149.10). 220 (vsFTPd 2.0.5) Name (192.168.149.10:root): user01 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
5. Test with a user which is not listed in /etc/vsftpd/user_list. Check for user “user03” which is NOT included in the user_list file.
# ftp vsftpsrv Connected to vsftpsrv (192.168.149.10). 220 (vsFTPd 2.0.5) Name (192.168.149.10:root): user03 530 Permission denied. Login failed. ftp>