vsftpd: pam_listfile(vsftpd:auth): Refused user root for service vsftpd

If you are attempting to FTP to a server running vsftpd as its FTP daemon you will be refused if this is a default vsftpd installation. It is strongly recommended to not allow root access to FTP because of security concerns which would provide the ftp user access to destroy anything on the server running FTP at will. Regardless it might be necessary for specific tasks and the below information will assist you in configuring vsftpd to allow the root user to login.

vsftpd Error Logs Displaying root Login Refused:

Sep 5 11:36:39 linux-server vsftpd: pam_listfile(vsftpd:auth): Refused user root for service vsftpd
Sep 5 11:37:00 linux-server vsftpd: pam_listfile(vsftpd:auth): Refused user root for service vsftpd

As seen in the example log output above the root user is denied access to login to the vsftpd FTP service by default. The vsftpd configuration files are installed in /etc/vsftpd by default on CentOS and include vsftpd.conf, and user_list. The confusion might come because of the existence of both the ftpusers and user_list files. The ftpusers file always includes a list of users that are not accepted to authenticate to FTP while the user_list file could either be users who are refused or users who are allowed. Below we show the vsftpd.conf userlist_deny configuration parameter set to YES and set to NO with a description of the functionality of each method.

vsftpd userlist_deny=YES – Default vsftpd Settings

userlist_deny=YES

When the vsftpd.conf userlist_deny configuration parameter is set to YES as shown in the example above the users listed in user_list are denied access to the FTP service.

vsftpd userlist_deny=NO

userlist_deny=NO

When the vsftpd.conf userlist_deny configuration parameter is set to NO as shown in the example above the users listed in user_list are the only users who are allowed access to vsftpd’s FTP service.

Where confusion may enter the scenario is regardless of any other settings the users listed in ftpusers are always denied access to the vsftpd FTP service. So when you want a user such as the root user to have access to FTP when vsftpd is the FTP software you need to make sure the user is not listed in either user_list or ftpusers unless of course userlist_deny=NO then you want to make sure the user is listed in user_list but not in ftpusers.

I also wanted to mention again that it is a severe security flaw when root has access to FTP on any server so be very careful allowing a user with root permissions access to FTP.