More digging (now that I have a better handle on how to ask the question) reveals this bug against documentation and release notes for 7.6 to alert updaters about this breaking change for vsftpd: https://bugzilla.redhat.com/show_bug.cgi?id=1647485 The last comment there, #15 by "Roy": > For a workaround to vsftpd login failures that doesn't expose your system > to the cited CVE, and retains the benefits of system user account > separation, read from "Virtual users with TLS/SSL/FTPS and a common > upload directory - Complicated vsftpd" on > https://ubuntuforums.org/showthread.php?t=518293, but implement home > directories using the section "System users as a virtual user with > non-system password" as a guide.