Hi,

I recently updated to proftpd-1.3.1 from 1.2.10-1 on CentOS 5(x86). Previously some of the users are with /bin/false but now they are not able to login even when the "RequiredValidShell off" directive is used. When I changed their shells to /sbin/nologin which is present in /etc/shells the users are able to login again. What could be the reason?

/bin/false is not included in /etc/shells

PS: The title is corrected(typo) to make it easier for others when they search for it.

Indeed /bin/false is not listed in /etc/shells. Check the spelling of the proftpd directive: it should be RequireValidShell (not RequiredValidShell).

Sorry about that, its a typo in the question. I did use the correct directive.

RequireValidShell off

Ok. Maybe there is some problem with the authentication method (e.g. PAM authentication that proftpd tries to use by default). Did you see something strange in /var/log/messages or /var/log/secure upon the failed logins?

Here is the edited version of /var/log/secure

First when then the user is set to /bin/false

proftpd: Deprecated pam_stack module called from service "proftpd"
USER xxxx (Login failed): Incorrect password.
FTP session closed.

Now, the user has been changed to /sbin/nologin

USER xxxx: Login successful.
Preparing to chroot to directory '/home/xxxx'
Deprecated pam_stack module called from service "proftpd"
pam_env(proftpd:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directory.
Deprecated pam_stack module called from service "proftpd"
pam_succeed_if(proftpd:session): error retrieving information about user 0
pam_unix(proftpd:session): session closed for user xxxx
FTP session closed.

Should I make any changes to PAM?

Before doing that, you can test if proftp works in the expected way without PAM authentication. To do this you can add the following to proftpd.conf
this tells proftp to proceed with other authentication methods if something fails with pam, or
to disable PAM authentication entirely. Also, which version of pam is installed? And what is the content of the pam configuration file for proftp (something like /etc/pam.d/proftp or /etc/pam.d/ftp)?

The first directive seems to be deprecated in v1.3.1 as it complains that its not a valid directive and also it is not listed in the online documentation.

The second directive didn't help with /bin/false(Still the same login incorrect messages)

PAM version: pam-0.99.6.2-3.14.el5
/etc/pam.d/proftpd
EDIT: I just commented out "auth required pam_shells.so" in /etc/pam.d/proftpd and its working fine,obviously I guess?