I think the pam_shells test is really a lazy test for daemons. There's already a blacklist in /etc/vsftpd/user_list but it's incomplete. (It lacks a LOT of common system services such as named, sshd, and dbus.) I suggest replacing pam_shells with a test for UID < 1000: auth required pam_succeed_if.so uid >= 1000 quiet_success