tftp-hpa – BSD derived TFTP Server

Last Updated on 2019-02-22 by Sture

Description

tftp-hpa is portable, BSD derived tftp server. It supports advanced options such as blksize, blksize2, tsize, timeout, and utimeout. It also supported rule-based security options.

Requirements

The following application(s) must be installed, configured and running before tftp-hpa is installed:

• None

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]

N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server!

[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Installation

Search for tftp in the remote package repositories with:

[root@server /usr/home/user]# pkg search tftp  [enter]
atftp-0.7_3                    Advanced tftp server and client
nagios-check_tftp-1.0.1        Nagios plugin to check tftp servers
p5-TFTP-1.0                    TFTP client in Perl as described in RFC783
py27-tftpy-0.6.2               Pure Python TFTP Implementation
tftp-hpa-5.2                   Advanced tftp server
tftpgrab-0.2                   TFTP stream extractor
utftpd-0.2.4_2                 secure tftpd server with fine grained access and revision control
[root@server /usr/home/user]##

In this example, tftp-hpa will be installed.

Install port tftp-hpa with;

[root@server /usr/home/user]# pkg install tftp-hpa [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	tftp-hpa: 5.2

Number of packages to be installed: 1

38 KiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
Fetching tftp-hpa-5.2.txz: 100%   38 KiB  39.3kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing tftp-hpa-5.2...
[1/1] Extracting tftp-hpa-5.2: 100%
[root@server /usr/home/user]#

Configuration

packet filter (pf)

Access to the tftpd service must be enabled in the packet filter (pf) configuration file.

Start editing file /etc/pf.conf with:

[root@server /usr/home/user]# ee /etc/pf.conf [enter]

…and add port information to enable access to the TFTP service from clients on the local network as in this example:

...
# Ports:
#  53 TCP UDP   Domain Name System (DNS)
#  67 TCP UDP	Bootstrap Protocol (BOOTP) server
#  69 TCP UDP   Trivial File Transfer Protocol (TFTP)
# 123 TCP       Network Time Protocol
...
tcp_pass="{ 53,  67, 69, 123 }"
udp_pass="{ 53,  67, 69, }"
...
# Pass specified tcp traffic in to this server from LAN clients
pass in on $lan_if proto tcp from $lan_if:network to $lan_if port $tcp_pass

# Pass specified udp  traffic in to this server from LAN clients
pass in on $lan_if proto udp from $lan_if:network to $lan_if port $udp_pass

# Pass SSH traffic from LAN clients (for Admin)
pass in on $lan_if proto tcp from $lan_if:network to $lan_if port ssh
...

Check /etc/pf.conf for errors, but do not load ruleset with:

[root@server /usr/home/user]# pfctl -vvnf /etc/pf.conf [enter]

…and then reload /etc/pf.conf with:

[root@server /usr/home/user]# service pf reload [enter]
Reloading pf rules.
[root@server /usr/home/user]#

/tftpboot Directory

List current ZFS pool information with:

[root@server /usr/home/user]# zpool list [enter]
NAME    SIZE  ALLOC   FREE  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
zroot  5,44T   254G  5,19T         -     2%     4%  1.00x  ONLINE  -
[root@server /usr/home/user]#

In this example, zroot pool was found.

Creates a dataset where the tftpboot files will be stored with:

[root@server /usr/home/user]# zfs create -o compression=lz4 -o mountpoint=/tftpboot zroot/tftpboot [enter]
[root@server /usr/home/user]#

[root@server /usr/home/user]# chown tftpd:tftpd /tftpboot [enter]
[root@server /usr/home/user]#

[root@server /usr/home/user]# chmod u=rwx,g=rx,o= /tftpboot [enter]
[root@server /usr/home/user]#

tftpd User

Create a separate user tftpd with group tftpd, no login shell and the home directory set to /nonexistent for running tftpd with:

Add a separate user group tftpd for running the tftpd service with:

[root@server /usr/home/user]# pw groupadd tftpd  [enter]
[root@server /usr/home/user]#

Add a separate user tftpd in group tftpd, no login shell and the home directory set to /nonexistent for running the tftpd service with:

[root@server /usr/home/user]# pw useradd tftpd -c tftp_manager -d /nonexistent -g tftpd -s /usr/sbin/nologin [enter]
[root@server /usr/home/user]#

[root@server /usr/home/user]# vipw [enter]
...
tftpd:*:4004:4003::0:0:tftp_manager:/nonexistent:/usr/sbin/nologin
...
[root@server /usr/home/user]#

Enable tftpd Service

List installed tftpd services with:

[root@server /usr/home/user]# service -r | grep tftpd [enter]
/usr/local/etc/rc.d/tftpd
[root@server /usr/home/user]#

Find the rcvar for /etc/rc.conf with:

[root@server /usr/home/user]# /usr/local/etc/rc.d/tftpd rcvar [enter]
# tftpd
#
tftpd_enable="NO"
#   (default: "")

[root@server /usr/home/user]#

To start tftpd at system boot, add information to /etc/rc.conf with this commands:

[root@server /usr/home/user]# echo '' >> /etc/rc.conf; echo '# tftpd-hpa' >> /etc/rc.conf; echo 'tftpd_enable="YES"' >> /etc/rc.conf; echo 'tftpd_flags="--ipv4 --secure --create --user tftpd --umask 027 --permissive --address 0.0.0.0:69 /tftpboot"' >> /etc/rc.conf [enter]
[root@server /usr/home/user]#

Optional: Add –blocksize 1468 to the tftpd_flags may improve the performance on some systems.

Display full list of tftpd options with:

[root@server /usr/home/user]# man in.tftpd [enter]

Start

Manually start tftpd with:

[root@server /usr/home/user]# service tftpd start [enter]
Starting tftpd.
[root@server /usr/home/user]#

Verify and Test

Check whether the tftpd service daemon is running:

[root@server /usr/home/user]# ps -x | grep tftp | grep -v grep [enter]
 2970  -  Is       0:00,00 /usr/local/libexec/in.tftpd --ipv4 --secure --create --user tftpd --umask 027 --permissive --address 0.0.0.0:69 /tftpboot -P /var/run/tftpd.pid -l
[root@server /usr/home/user]#

You should now have an operational TFTP server. Since your FreeBSD system also has a TFTP client, you can test that the server is running.

First, tftp to the address of your TFTP server as a regular user. Here, we will use the tftp client from the same computer, that is the TFTP server.

Connect to the TFTP service on the local host with:

[root@server /usr/home/user]# tftp localhost [enter]

If the server responds, your prompt will change to:

tftp>

If you type ?, you’ll get a list of command that the tftp client supports:

tftp> ? [enter]
Commands may be abbreviated.  Commands are:

connect 	connect to remote tftp
mode    	set file transfer mode
put     	send file
get     	receive file
quit    	exit tftp
verbose 	toggle verbose mode
status  	show current status
binary  	set mode to octet
ascii   	set mode to netascii
rexmt   	set per-packet retransmission timeout[-]
timeout 	set total retransmission timeout
trace   	enable 'debug packet'[-]
debug   	enable verbose output
blocksize	set blocksize[*]
blocksize2	set blocksize as a power of 2[**]
rollover	rollover after 64K packets[**]
options 	enable or disable RFC2347 style options
help    	print help information
packetdrop	artificial packetloss feature
?       	print help information

[-] : You shouldn't use these ones anymore.
[*] : RFC2347 options support required.
[**] : Non-standard RFC2347 option.
tftp>

Exit the tftp client with:

tftp> q [enter]
[root@server /usr/home/user]#