RedHatVsftpdConfig

How to configure vsftpd under Red Hat Linux

I often have people trying to FTP into a Red Hat machine, and complaining the server does not let them in with a 503: Login incorrect. But vsftpd is ready and working! How come?

Well, people, that's because Red Hat uses PAM. And PAM is a the truest piece of manure that ever (dis-)graced a Linux. Slackware does not use PAM, and you quickly understand why: it does not play well with any kind of centralized login/password database - such as OpenLDAP?, which is in use where I work.

So... If you'd like VSFTPD to work correctly under a Red Hat 4 machine with LDAP and PAM, make sure your /etc/pam.d/vsftpd file is equivalent to the one below:

#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account sufficient pam_ldap.so
account required pam_stack.so service=system-auth
session sufficient pam_ldap.so
session required pam_stack.so service=system-auth

Compare & contrast with the previous version (the one that does not allow you to use ftp...):

#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

Once vsftpd has been started (or restarted) with a nice /etc/init.d/vsftpd start it finally allows you in...

Now, why do you need vsftpd when sshd is so much better and secure and convenient? Because your users have a "fantastic" testing tool... that only uses FTP. Of course. *sigh*

A note on TCP Wrappers

This is valid only on Centos - if you want vsftpd to use TCP Wrappers as an application firewall (always a good idea, by the way), remember to enter the following in /etc/vsftpd/vsftpd.conf:

# The following line activates TCP wrappers on vsftpd
tcp_wrappers=YES

Simple enough BUT Centos does not activate it by default, while Red Hat Enterprise Linux does.

As the Centos documentation (see below) notes:

tcp_wrappers — When enabled, TCP wrappers are used to grant access to the server. If the FTP server is configured on multiple IP addresses, the VSFTPD_LOAD_CONF option can be used to load different configuration files based on the IP address being requested by the client. For more information about TCP Wrappers, refer to Chapter 17 TCP Wrappers and xinetd.

The default value is NO. Note, in Red Hat Enterprise Linux, the value is set to YES.

See Also: