1. 概述

In this tutorial, we’ll look at the TFTP server. Firstly, we’ll briefly look at the protocol followed by how to install it. Following that, we’ll learn how to configure it and finally test our configurations.

2. 关于 TFTP Server 及安装

TFTP 中文翻译为简单文件传输协议也称小型文件传输协议(Trivial File Transfer Protocol, TFTP),是用于在本地和远程计算机之间传输文件的协议。类似于FTP,我们使用getput命令从远程服务器下载文件和上传文件到远程服务器。

在一些系统中,默认情况下已经安装了TFTP。如果没有以ubuntu举例,运行下面的命令安装tftp-hpa (tftpd,服务器):

$ sudo apt update
$ sudo apt-get install tftpd-hpa

检查是否安装成功并正在运行:

$ sudo systemctl status tftpd-hpa.service
● tftpd-hpa.service - LSB: HPA's tftp server
     Loaded: loaded (/etc/init.d/tftpd-hpa; generated)
     Active: active (running) since Fri 2023-11-24 15:49:20 CET; 36min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 734 ExecStart=/etc/init.d/tftpd-hpa start (code=exited, status=0/S>
      Tasks: 1 (limit: 2261)
     Memory: 780.0K
        CPU: 21ms
     CGroup: /system.slice/tftpd-hpa.service
             └─789 /usr/sbin/in.tftpd --listen --user tftp --address 0.0.0.0:69>

如果没有运行,启动一下:

$ sudo systemctl start tftpd-hpa

设置开机启动

$ sudo systemctl enable tftpd-hpa

安装的时候注意别搞错包了,我们需要安装的是 tftp-hpa,它是tftp的增强版本。

We must note that there are no authentication or security provisions in the TFTP protocol. Therefore, the remote server should implement some kind of access control or firewall. These access restrictions are server-specific and they do vary according to needs.

3. 配置 TFTP Server

Once installed and running, let’s configure the TFTP server. We’ll customize a few settings and define the directory for file transfers. The default configuration files are located in /etc/default/tftpd-hpa.

3.1. The Configuration File and Shared Directory

Now, let’s open the default configuration and customize some settings. We’ll edit TFTP_DIRECTORY and TFTP_ADDRESS and change them:

$ sudo vi /etc/default/tftpd-hpa 
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftpboot"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure"

In the default configuration file, we can see the following options:

  • TFTP_USERNAME which shows the user which TFTP uses to run
  • TFTP_DIRECTORY which is set to /srv/tftp by default. We need to change this to a custom location of our choice. For this tutorial, we’ll use /var/lib/tftpboot.
  • TFTP_ADDRESS is set to ‘:69’We’ve changed it to 0.0.0.0:69. The preceding zeros show that the server accepts connections from any client through port 69.
  • TFTP_OPTIONS allows us to set specific parameters for the TFTP server. For example, here we’ve set secure.

TFTP_OPTIONS controls various aspects of the TFTP server’s behavior, such as timeout and security settings, block size, transfer size limits, or other parameters related to file transfer operations. Apart from -s (–secure), other flags we can specify are -c (–create), -a (–address), -u (–user) etc. If we don’t specify the -c flag, any client connected to the server won’t be able to upload a new item to the server.

Apart from the initial configurations, let’s create our shared directory and set the necessary permissions that enable users to access it.

Additionally, we must ensure we’ve configured the server to point to a directory where users’ requests are stored (access to files and directories).

Now, let’s create /var/lib/tftpboot :

$ sudo mkdir /var/lib/tftpboot

Next, let’s set the necessary permissions on this directory:

$ sudo chmod -R 777 /var/lib/tftpboot
$ sudo chown -R nobody:nogroup /var/lib/tftpboot

We use chmod to set file mode bits to ‘777’, which means the Owner, Group, and Others all have read, write, and execute permissions (full access). Thus, any user can do anything within that directory. We should customize these permissions according to our needs and security threats.

We use chown to set the directory ownership to the ‘nobody‘ user and ‘nogroup‘ group.

Lastly, let’s restart the TFTP server to apply all changes:

$ sudo systemctl restart tftpd-hpa

3.2. 测试连接

Now, let’s test if the TFTP server is working correctly. On our local computer, let’s run:

$ tftp 192.168.0.103 #remote_machine_ip

If the connection is successful, we’ll see a tftp prompt:

tftp>

Next, we can use the command we saw earlier to test if our configurations and permissions are working right. Let’s begin by checking the status:

$ tftp 192.168.0.103
tftp> status
Connected to 192.168.0.103.
Mode: netascii Verbose: off Tracing: off Literal: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> 

Then, let’s enable verbose mode:

tftp> verbose
Verbose mode on.
tftp> 

After that, let’s download a file from the server:

tftp> get ip.info
getting from 192.168.0.103:ip.info to ip.info [netascii]
Received 723 bytes in 0.6 seconds [10370 bit/s]
tftp> 

Finally, let’s upload a file from our local machine:

tftp> put ip.rules
putting ip.rules to 192.168.0.103:ip.rules [netascii]
Error code 1: File not found
tftp>

When uploading, we receive the error above. We can correct this by adding the -c option in the configuration file:

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftpboot"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--create --secure"

We must restart the tftpd-hpa service after making these changes.

Now, let’s upload again:

tftp> put local.rules
putting local.rules to 192.168.0.103:local.rules [netascii]
Sent 700 bytes in 0.1 seconds [103207 bit/s]
tftp>

When we use the -c options, uploaded files inherit the default permission allowing anyone to read, write, and execute, unless we set the –permessive (-p) or –umask (-U) options. If we use the -p flag, the system ensures that the files only have the permissions assigned to the user through the –user option.

The -U flag sets the umask for the newly created files. The default is zero if we haven’t specified the option -p and it’s inherited if we set the -p flag.

4. 总结

In this article, we looked at the TFTP server. We discussed how to install and configure it. We must ensure we install the right package (tftp-hpa) and not the old one (tftp). Further, we saw some of the commands we use to transfer files to and from a remote server.

Finally, we learned that we must set the right permission to the shared directory. Depending on our requirements, we should customize the permissions without compromising the security of our systems. We should use firewalls to ensure that only our intended purpose is achieved.