jrr@scamp.concert.net (Joe Ragland) (04/03/90)
Archive-name: tas-tftpd/02-Apr-90 Original-posting-by: jrr@scamp.concert.net (Joe Ragland) Original-subject: Re: tftp,anonymous ftp Archive-site: ncnoc.concert.net [128.109.193.1] Archive-directory: dist Archive-files: tftpd.tar Reposted-by: emv@math.lsa.umich.edu (Edward Vielmetti) In article <9004021514.AA26051@world.std.com> bzs@world.std.com (Barry Shein) writes: > >>In tftp there is nearly no security. An example: . . . > >The case is overstated, at least on Suns you can run tftpd in secure >mode in which case it chroot's to a specified directory (usually >/tftpboot tho that's settable in /etc/inetd.conf). > >If this is done all they can grab is files under that directory, which >can usually be kept harmless easily (boot binaries, some people keep >files needed by X terminals which use tftp there.) > >Of course, keeping easy-to-find passwords or using shadow password >facilities out of your system has its advantages also. I would guess a >lot of break-ins (particularly ones that go undetected) are "inside >jobs". > > -Barry Shein For what it is worth, a modified version of the Berkeley tftpd, which solves alot of these security problems, is available via 'anonymous' ftp from ncnoc.concert.net as file ~ftp/dist/tftpd.tar. This version further restricts tftp to a list of hosts. From the README file for this distribution: This directory contains a version of the Trivial File Transfer Protocol daemon, tftpd. It is based on a version from Berkeley that is copyrighted but freely distributable under the copyright rules. I have modified the program to provide options to restrict tftp access to a directory tree via chroot and/or by a list of hosts allowed access. These restrictions are in addition to the standard tftp access restrictions. My changes are public domain, so this package is freely distributable under the Berkeley copyright rules. My changes are intended to compile and run under a variety of 4.2 BSD and 4.3 BSD based UNIX systems, but I have only tested them on systems using the 4.3 BSD syslog facility and multiple- address hostent structure. Please let me know of problems with this code on other systems. Tim Seaver MCNC tas@mcnc.org Joe Ragland CONCERT Network