Proftpd: 530 Login incorrect due to invalid shell

Written by - 1 comments

Published on May 14th 2012 - Listed in Linux Internet


In case you have a Proftpd FTP server and you receive the following error message in your FTP log, it does not necessarily mean that your password is wrong:

Status:    Verbinde mit xxx.xxx.xxx.xxx:21...
Status:    Verbindung hergestellt, warte auf Willkommensnachricht...
Antwort:    220 FTP Server ready.
Befehl:    USER web24
Antwort:    331 Password required for web24
Befehl:    PASS ********
Antwort:    530 Login incorrect.
Fehler:    Kritischer Fehler

Obviously you need to check on the server if the password is really correct.
The next step is to use proftpd's debugging mode. Stop the daemon and launch the following command:

proftpd -nd6

This command launches proftpd in debug mode, where you can trace everything what happens:

# proftpd -nd6
 - using TCP receive buffer size of 87380 bytes
 - using TCP send buffer size of 16384 bytes
 - disabling runtime support for IPv6 connections
 - mod_tls/2.4.2: using OpenSSL 0.9.8o 01 Jun 2010
 - <IfModule>: using 'mod_tls.c' section at line 9
ftp.server.ip.address -
ftp.server.ip.address - Config for example.com:
ftp.server.ip.address - Limit
ftp.server.ip.address -  DenyGroup
ftp.server.ip.address - DefaultServer
ftp.server.ip.address - ServerIdent
ftp.server.ip.address - ListOptions
ftp.server.ip.address - IdentLookups
ftp.server.ip.address - TimesGMT
ftp.server.ip.address - LangEngine
ftp.server.ip.address - Umask
ftp.server.ip.address - UserID
ftp.server.ip.address - UserName
ftp.server.ip.address - GroupID
ftp.server.ip.address - GroupName
ftp.server.ip.address - TransferLog
ftp.server.ip.address - AllowOverwrite
ftp.server.ip.address - DefaultRoot
ftp.server.ip.address - TLSEngine
ftp.server.ip.address - TLSLog
ftp.server.ip.address - TLSRSACertificateFile
ftp.server.ip.address - TLSRSACertificateKeyFile
ftp.server.ip.address - TLSOptions
ftp.server.ip.address - TLSRequired
ftp.server.ip.address - mod_lang/0.9: skipping possible language 'it': not supported by setlocale(3); see `locale -a'
ftp.server.ip.address - mod_lang/0.9: skipping possible language 'ru': not supported by setlocale(3); see `locale -a'
ftp.server.ip.address - mod_tls/2.4.2: passphrase locked into memory
ftp.server.ip.address - ProFTPD 1.3.3a (maint) (built Sun Nov 13 2011 22:40:44 UTC) standalone mode STARTUP
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - session requested from client in unknown class
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - mod_cap/1.0: adding CAP_AUDIT_WRITE capability
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - mod_ident/1.0: ident lookup disabled
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - connected - local  : ftp.server.ip.address:21
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - connected - remote : my.remote.ip.address:52478
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - FTP session opened.
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'USER web24' to mod_rewrite
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'USER web24' to mod_tls
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'USER web24' to mod_core
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'USER web24' to mod_core
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'USER web24' to mod_delay
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'USER web24' to mod_auth
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching CMD command 'USER web24' to mod_auth
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching POST_CMD command 'USER web24' to mod_sql
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching POST_CMD command 'USER web24' to mod_delay
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching LOG_CMD command 'USER web24' to mod_sql
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching LOG_CMD command 'USER web24' to mod_log
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_rewrite
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_tls
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_core
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_core
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_wrap
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_sql
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_delay
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_auth
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching CMD command 'PASS (hidden)' to mod_auth
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - user 'web24' authenticated by mod_auth_pam.c
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - USER web24 (Login failed): Invalid shell: '/bin/false'
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_sql
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_delay
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_sql
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_log
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_auth
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - mod_tls/2.4.2: scrubbing 1 passphrase from memory
ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - FTP session closed.

Yes.. the important line is this one:

ftp.server.ip.address (my.remote.ip.address[my.remote.ip.address]) - USER web24 (Login failed): Invalid shell: '/bin/false'

Either the user web24 needs a valid shell like /bin/bash or the proftpd.conf setting needs the following line:

# grep Shell /etc/proftpd/proftpd.conf
RequireValidShell             off

By setting this option, proftpd accepts users without valid shells and will allow the FTP session.


Add a comment

Show form to leave a comment

Comments (newest first)

Nobbi from wrote on Aug 28th, 2013:

My problem has been, that the home-directory of the virtual user wasn't existing; so the access was denied.
I set it to the ftp-root and it works - after hours of googling and trying.
Thanks for your advice ;-)