Notes for configuring TFTP server on RHL9

James Leone linuxcpa at netscape.net
Thu May 8 02:33:35 CST 2003


glen.turner at aarnet.edu.au wrote:

>
> These might be of use to people.  If not today, then when someone
> trawls the list archive.

Thank You Glen Turner! :-)

James Leone


>------------------------------------------------------------------------
>
>
>
>              CONFIGURING TFTP SERVER ON RED HAT LINUX 9
>
>
>The configuration of this TFTP server is optimised for recording
>network equipment configuration files (such as those from Cisco
>routers).  The out-of-the-box RHL configuration is optimised for
>serving boot images.
>
>
>INSTALL SOFTWARE
>
>Install TFTP server (in.tftpd)
>
>  # rpm -ivh tftp-server-0.32-4.i386.rpm
>
>Install TFTP client (tftp).  Not really needed but useful for testing.
>
>  # rpm -ivh tftp-0.32-4.i386.rpm
>
>
>CONFIGURE TCP WRAPPER
>
>Configure TCP Wrapper so that TFTP access can only occur from router
>adminstrative VLAN (in our case this has addresses in 10.255.0.0/16).
>
>  Alter /etc/hosts.deny
>    ALL: ALL
>
>  Alter /etc/hosts.allow
>    # Anything from IPv4 or IPv6 localhost
>    ALL: 127.0.0.0/255.0.0.0
>    ALL: [::1]/128
>
>    # TFTP from routers
>    in.tftpd: 10.255.0.0/255.255.0.0
>
>
>MODIFY CONFIGURATION TO ALLOW EASY FILE CREATION
>
>By default files must be manually created before they can be written
>to using TFTP, for example
>
>  # cd /tftpboot
>  # (umask 111; touch example.txt)
>
>wheras we wish to be able to remotely create files.
>
>  Alter /etc/xinetd.d/tftp
>    server_args = -s /tftpboot -c -p -u tftp -U 117 -v
>
>The umask 117 prevents users not in the "tftp" group from reading
>remotely created files.  Since router configurations contain passwords
>this is advisable.  Nothing prevents other routers (or even a Linux
>box with an interface in the router administrative VLAN) from remotely
>accessing the files, so it's not fantastic security.
>
>
>CREATE TFTP USER
>
> [ This is for a local user.  It's better if the TFTP user and group
>   are created in NIS+, LDAP or whatever so that UIDs/GIDs are
>   consistent across machines.  This is particularly as the "tftp" user
>   will own files and we want to move them between machines (by NFS or
>   tape) correctly. ]
>
>  # groupadd -r tftp
>  # grep tftp /etc/group
>
>Note the created GID.  With luck this can will be free to be used as
>the UID, in our case 101.
>
>  # useradd -r -c 'Trival file transfer' -d /tftpboot -g tftp -s /sbin/nologin -u 101 tftp
>
>
>PLACE USERS THAT CAN LOCALLY WRITE TFTP FILES INTO TFTP GROUP
>
>  Alter /etc/group  [or NIS+, or LDAP, ...]
>    tftp:x:101:root,example
>
>Users will need to restart sessions before new group membership is
>visible (use the "id" commnd to see current group membership).
>
>
>CREATE TFTP DIRECTORY
>
>  # cd /
>  # mkdir /tftpboot
>  # chown tftp:tftp /tftpboot
>  # chmod u=rwx,g=rwxs,o= /tftpboot
>
>
>LOAD NEW XINETD CONFIGURATION
>
>To make a configuration change come into effect
>
>  # killall in.tftpd
>  # /sbin/service xinetd reload
>
>
>TEST
>
>From another machine with a TFTP client
>
>  $ cd /etc
>  $ tftp exampleserver
>  tftp> ascii
>  tftp> put /etc/issue
>  Sent 56 bytes in 0.0 seconds
>  tftp> quit
>
>Examine the created file on the TFTP server
>
>  $ ls -l /tftpboot/issue
>  -rw-rw----  1  tftp tftp  53  Jan 1 01:23  /tftpboot/issue
>
>
>
>Glen Turner, AARNet
>2003-05-07
>  
>

-- 
Your favorite stores, helpful shopping tools and great gift ideas. 
Experience the convenience of buying online with Shop at Netscape! 
http://shopnow.netscape.com/


-- 
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.freenode.net
To unsubscribe from the LinuxSA list:
  mail linuxsa-request at linuxsa.org.au with "unsubscribe" as the subject



More information about the linuxsa mailing list