Access-control file for ftpd




The /etc/ftpusers file provides user access control for ftpd by defining which users may login.

Note: If the /etc/ftpusers file doesn't exist, all users are denied access.

The syntax of each line is:

userglob[:groupglob][@host] [directive [class]]


Match against the username. Calls fnmatch() (e.g., f*).
Match against all the groups that the user is a member of. Calls fnmatch() (e.g., *src).
Either a CIDR address (see inet_net_pton()) to match against the remote address (e.g.,, or a glob to match against the remote hostname (e.g., *.netbsd.org).
Allow or deny user access.
  • allow or yes — allow user access
  • deny or no — deny user access

If none of the above values are specified, user access is denied.

Use this class in /etc/ftpd.conf. If class isn't specified, it defaults to one of the following:
  • chroot — there's a match in /etc/ftpchroot for the user.
  • guest — the user name is anonymous or ftp.
  • real — neither of the above is true.

No further comparisons are attempted after the first successful match. If no match is found, the user is granted access. This syntax is backward-compatable with the old syntax.

If a user requests a guest login, the ftpd server checks to see that both anonymous and ftp have access. If you deny all users by default, you'll need to add both anonymous allow and ftp allow to /etc/ftpusers in order to allow guest logins.

The character: Meaning:
\ Escape character. It can be used to escape the meaning of the comment character, or if it's the last character on a line, it extends a configuration directive across multiple lines.
# Comment character. All characters from it to the end of line are ignored (unless it's escaped with the escape character).

Related files

A list of the normal users who should have their session's root directory changed.