1. Overview

In this tutorial, we’ll look at the TFTP server. Firstly, we’ll briefly look at the protocol followed by how to install it. Following that, we’ll learn how to configure it and finally test our configurations.

2. About TFTP Server and Installation

The Trivial File Transfer Protocol (TFTP), is a protocol that allows users to transfer files to and from a remote machine. In some systems, it’s present by default while in others we must install it. In this example, we’ll install tftp-hpa (tftpd) which is the server.

Similar to FTP, we use get and put to download from a remote server and upload to the remote server respectively.

Let’s run the following command to install it:

$ sudo apt update
$ sudo apt-get install tftpd-hpa

After the installation is complete, let’s verify the server is running and has been successfully installed:

$ sudo systemctl status tftpd-hpa.service
● tftpd-hpa.service - LSB: HPA's tftp server
     Loaded: loaded (/etc/init.d/tftpd-hpa; generated)
     Active: active (running) since Fri 2023-11-24 15:49:20 CET; 36min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 734 ExecStart=/etc/init.d/tftpd-hpa start (code=exited, status=0/S>
      Tasks: 1 (limit: 2261)
     Memory: 780.0K
        CPU: 21ms
     CGroup: /system.slice/tftpd-hpa.service
             └─789 /usr/sbin/in.tftpd --listen --user tftp --address 0.0.0.0:69>

Otherwise, if the service is in a dead state, let’s activate it:

$ sudo systemctl start tftpd-hpa

Optionally, we can enable the server to automatically start at boot time:

$ sudo systemctl enable tftpd-hpa

During installation, we must ensure we’ve specified the right package. This is because we need to use tftp-hpa which is an enhanced version of tftp.

We must note that there are no authentication or security provisions in the TFTP protocol. Therefore, the remote server should implement some kind of access control or firewall. These access restrictions are server-specific and they do vary according to needs.

3. Configuring TFTP Server

Once installed and running, let’s configure the TFTP server. We’ll customize a few settings and define the directory for file transfers. The default configuration files are located in /etc/default/tftpd-hpa.

3.1. The Configuration File and Shared Directory

Now, let’s open the default configuration and customize some settings. We’ll edit TFTP_DIRECTORY and TFTP_ADDRESS and change them:

$ sudo vi /etc/default/tftpd-hpa 
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftpboot"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure"

In the default configuration file, we can see the following options:

  • TFTP_USERNAME which shows the user which TFTP uses to run
  • TFTP_DIRECTORY which is set to /srv/tftp by default. We need to change this to a custom location of our choice. For this tutorial, we’ll use /var/lib/tftpboot.
  • TFTP_ADDRESS is set to ‘:69’We’ve changed it to 0.0.0.0:69. The preceding zeros show that the server accepts connections from any client through port 69.
  • TFTP_OPTIONS allows us to set specific parameters for the TFTP server. For example, here we’ve set secure.

TFTP_OPTIONS controls various aspects of the TFTP server’s behavior, such as timeout and security settings, block size, transfer size limits, or other parameters related to file transfer operations. Apart from -s (–secure), other flags we can specify are -c (–create), -a (–address), -u (–user) etc. If we don’t specify the -c flag, any client connected to the server won’t be able to upload a new item to the server.

Apart from the initial configurations, let’s create our shared directory and set the necessary permissions that enable users to access it.

Additionally, we must ensure we’ve configured the server to point to a directory where users’ requests are stored (access to files and directories).

Now, let’s create /var/lib/tftpboot :

$ sudo mkdir /var/lib/tftpboot

Next, let’s set the necessary permissions on this directory:

$ sudo chmod -R 777 /var/lib/tftpboot
$ sudo chown -R nobody:nogroup /var/lib/tftpboot

We use chmod to set file mode bits to ‘777’, which means the Owner, Group, and Others all have read, write, and execute permissions (full access). Thus, any user can do anything within that directory. We should customize these permissions according to our needs and security threats.

We use chown to set the directory ownership to the ‘nobody‘ user and ‘nogroup‘ group.

Lastly, let’s restart the TFTP server to apply all changes:

$ sudo systemctl restart tftpd-hpa

3.2. Testing Our Configurations

Now, let’s test if the TFTP server is working correctly. On our local computer, let’s run:

$ tftp 192.168.0.103 #remote_machine_ip

If the connection is successful, we’ll see a tftp prompt:

tftp>

Next, we can use the command we saw earlier to test if our configurations and permissions are working right. Let’s begin by checking the status:

$ tftp 192.168.0.103
tftp> status
Connected to 192.168.0.103.
Mode: netascii Verbose: off Tracing: off Literal: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> 

Then, let’s enable verbose mode:

tftp> verbose
Verbose mode on.
tftp> 

After that, let’s download a file from the server:

tftp> get ip.info
getting from 192.168.0.103:ip.info to ip.info [netascii]
Received 723 bytes in 0.6 seconds [10370 bit/s]
tftp> 

Finally, let’s upload a file from our local machine:

tftp> put ip.rules
putting ip.rules to 192.168.0.103:ip.rules [netascii]
Error code 1: File not found
tftp>

When uploading, we receive the error above. We can correct this by adding the -c option in the configuration file:

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftpboot"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--create --secure"

We must restart the tftpd-hpa service after making these changes.

Now, let’s upload again:

tftp> put local.rules
putting local.rules to 192.168.0.103:local.rules [netascii]
Sent 700 bytes in 0.1 seconds [103207 bit/s]
tftp>

When we use the -c options, uploaded files inherit the default permission allowing anyone to read, write, and execute, unless we set the –permessive (-p) or –umask (-U) options. If we use the -p flag, the system ensures that the files only have the permissions assigned to the user through the –user option.

The -U flag sets the umask for the newly created files. The default is zero if we haven’t specified the option -p and it’s inherited if we set the -p flag.

4. Conclusion

In this article, we looked at the TFTP server. We discussed how to install and configure it. We must ensure we install the right package (tftp-hpa) and not the old one (tftp). Further, we saw some of the commands we use to transfer files to and from a remote server.

Finally, we learned that we must set the right permission to the shared directory. Depending on our requirements, we should customize the permissions without compromising the security of our systems. We should use firewalls to ensure that only our intended purpose is achieved.

Comments are closed on this article!