Linux optimize

Set up a TFTP server for easy network boots and firmware upgrades


Although the occasion may be rare, there can come a time when you need to set up and use a Trivial FTP (or TFTP) server. TFTP is not like regular FTP; there is no authentication, no passwords, and a lot less features, so it is not a replacement for FTP. If TFTP is so horrible, why use it? Some devices, notably routers and certain high-end switches, make use of TFTP in order to upgrade firmware. TFTP is also extremely useful for network booting. As a result, while TFTP is not as prolific as FTP, it is still very useful. The lack of authentication, the ability to broadcast a TFTP server IP address via DHCP, and other simplistic features make it super easy to use. Simply point the end device to the IP address of the TFTP server, and firmware upgrades or net boots are made simple.

Most Linux distributions have a TFTP server available via package selection, typically the tftp-hpa package, which is distributed at ftp://ftp.kernel.org/pub/software/network/tftp/. If the package is available for install from your vendor, installation is quite straightforward. If not, download and compile the package; there is very little to be done beyond the typical "configure" and "make; make install."

With tftp-hpa, some steps have been taken to increase the security of this insecure protocol. You can tell the daemon, in.tftpd, to chroot to the directory that will be used to serve files and also to drop privileges. To take advantage of this, create a special user named tftpd that has a home directory of the TFTP base directory, perhaps /var/lib/tftpboot. Then call in.tftpd thus:

/usr/sbin/in.tftpd -u tftpd -s /var/lib/tftpboot

If you installed via an RPM or DEB package, there will most likely be an init script available. Typically, in.tftpd is called via a super-server like inetd or xinetd. For instance, a configuration stanza for inetd would be:

tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -u tftpd -s /var/lib/tftpboot
</code>
For xinetd, you may use:
<code>
service tftp
{
    socket_type = dgram
    protocol    = udp
    wait        = yes
    user        = root
    server      = /usr/sbin/in.tftpd
    server_args = -u tftpd -s /var/lib/tftpboot
}

The tftp-hpa package also comes with a tftp client that can be used to test the client. To test that everything is working properly, start (or restart) xinetd or inetd, create a test file, and use the tftp client to obtain the file:

# dd if=/dev/zero of=/var/lib/tftpboot/foo bs=1024 count=100
100+0 records in
100+0 records out
102400 bytes (102 kB) copied, 0.00041193 s, 249 MB/s
# tftp -v localhost -c get foo
Connected to localhost (127.0.0.1), port 69
getting from localhost:foo to foo [netascii]
Received 102400 bytes in 0.1 seconds [11872463 bit/s]
# ls -l foo
-rw-r--r-- 1 root root 102400 2008-01-06 17:05 foo

You can now use the TFTP server to provide boot images for PXE booting or firmware images for routers or other devices that can obtain firmware updates via TFTP.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

0 comments