The TFTP Daemon tftpd

The Trivial File Transfer Protocol (TFTP) is used to transfer files across a network. Unlike FTP, TFTP doesn’t include authentication. Anyone who can access the TFTP server can upload or download files from it.

TFTP is an inflexible protocol. It doesn’t work through network address translation without a proxy or some kind of intelligence within the translation device, and there’s no interactive session as there is with FTP and SFTP. TFTP is most commonly used to copy configuration files and operating system images for embedded devices such as routers.

OpenBSD uses TFTP to bootstrap diskless systems, as discussed in Chapter 23.

Specifying a tftpd Directory

OpenBSD’s tftpd(8) serves files from a directory, much like a web server. Traditionally, this directory is /tftpboot, but don’t follow tradition in this case (you don’t want a TFTP user filling your server’s root partition!). If you use /tftpboot on your root partition, make sure that your TFTP clients can’t write to the directory. (You could create a /tftpboot partition.) Normally, I create /var/tftpboot and tell tftpd to use that as its root directory. If your fingers are used to typing /tftpboot, create a symlink.

To enable tftpd, set tftpd_flags in rc.conf.local to the TFTP root directory.

tftpd_flags="/var/tftpboot"

tftpd chroots to the directory you specify, so tftpd cannot access files outside this directory.

tftpd and Files

TFTP uses file permissions as an access control method. Because all files on the TFTP server can be read by anyone who can access the server port, TFTP will let clients read files in its root directory only if they are world-readable. To make them world-readable, do this:

# chmod +r /var/tftpboot/filename

Similarly, tftpd will not allow anyone to upload a file unless a file of that name already exists and is world-writable. This means that anyone who knows a file’s name can overwrite it, so make vital files read-only. If an attacker can’t write files, he can’t fill your hard drive.

To create files via TFTP, so that you can upload files that don’t already exist, run tftpd with the -c option.

tftpd starts as root in order to bind UDP port 69, but it then drops privileges and runs as the unprivileged user _tftpd. Any files tftpd created will be owned by its user. As a general rule, the files in the TFTP root directory should not be owned by _tftpd, in order to make sure that the server cannot affect the files it serves.

tftpd Logging

You should log your TFTP transfers. Use the -v flag to send the transaction log to syslogd.

tftpd_flags="-v /var/tftpboot"

tftpd logs uses the FTP facility to log messages to /var/log/daemon.

Testing the TFTP Server

Use tftp(1) to test your TFTP server.

$ tftp caddis
tftp> get testboot.iso
Received 20879569 bytes in 10.4 seconds

You won’t see any friendly hash marks as you download the file, and you can’t change to another directory or list the contents of the TFTP server. Once the test is complete, use quit to end your TFTP session.

After you have a TFTP client and server set up, you’ll be ready to serve diskless OpenBSD machines, router operating system images, or anything else you need.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.12.163.175