vsftpd setup – the missing information

So I set up vsftpd on my Debian box the other day. I wanted a simple virtual users setup, so I created /etc/vsftpd, moved and symlinked my vsftpd.conf into this directory (to keep Debian happy) and also added a /etc/vsftpd/users.txt file – the source for my db(1) database that pam should use, after I compiled it with

$ cd /etc/vsftpd && db4.6_load -T -t hash -f users.txt users.db

Now that the database existed I went to /etc/pam.d/vsftpd and configured it there

session optional    pam_keyinit.so force revoke
auth    required    /lib/security/pam_userdb.so \
                    db=/etc/vsftpd/users.db
account required    /lib/security/pam_userdb.so \
                    db=/etc/vsftpd/users.db

but when I tried to log in, vsftpd always reported 530: Login incorrect (and of course I specified an existing user with a correct password). So what went wrong?

After struggling with it for quite some time I noticed that my /var/log/auth.log contained output from pam:

vsftpd: pam_userdb(vsftpd:auth): Verify user `foo' with a password
vsftpd: pam_userdb(vsftpd:auth): user_lookup: could not open database `/etc/vsftpd/users.db': No such file or directory

Huh?! Of course /etc/vsftpd/users.db exists – though it is only read-/writable by root (600), this shouldn’t matter much, because vsftpd runs as root anyways.

Well, the nice thing about the internet is that there is usually at least one person who already had the same problem like you and eventually solved it – and that was the case here as well:

It turned out that pam_userdb.so silently appends .db to the given path, so all I had to do to make it work was stripping off my .db in /etc/pam.d/vsftpd:

session optional    pam_keyinit.so force revoke
auth    required    /lib/security/pam_userdb.so \
                    db=/etc/vsftpd/users
account required    /lib/security/pam_userdb.so \
                    db=/etc/vsftpd/users

If you look into pam_userdb(8) you won’t find any hint about that – even worse, the example in the man page uses the explicit .db suffix as well (at least here on Lenny).

Anyways, I have now an easy-to-manage ftp server and one reason less to trust anyhow into DropBox and friends ­čÖé

One thought on “vsftpd setup – the missing information”

Comments are closed.