[CentOS] vsftpd rejects users set to nologin

Thu Jan 10 21:34:12 UTC 2019
Kenneth Porter <shiva at sewingwitch.com>

--On Thursday, January 10, 2019 4:17 PM -0500 Stephen John Smoogen 
<smooge at gmail.com> wrote:

> So I think this is a side effect of a long term argument of the security
> nature of /sbin/nologin
> https://serverfault.com/questions/328395/nologin-in-etc-shells-is-dangero
> us-why
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o
> The second thread goes over me being an idiot in multiple places...

Thanks. I independently discovered the fedora-devel thread when I dug into 
Bugzilla for the setup package, limiting to bugs mentioning /etc/shells, 
and found this bug:


I think the takeaway is that /sbin/nologin should NOT be in /etc/shells. So 
that means vsftpd should NOT use the pam shells plugin to decide which 
accounts are system accounts in order to block them. It already has its own 
ftpusers file for that purpose. Is that sufficient? But how would it know 
when a new system account was added by a new package? OTOH, we can switch 
the file to whitelist instead of blacklist in vsftpd.conf. So now we have 
to  edit the whitelist whenever we add a regular user (assuming FTP is 
allowed by default for shell users).