Improving the Security of TFTP

next up previous contents
Next: Improving the Security Up: Improving Security of Previous: Improving the Security

Improving the Security of TFTP


As mentioned in section 9.2.3, TFTP is a UDP-based file transfer program that provides no security. The TFTP program is allowed to transfer a set of files to any system on the Internet that asks for them. TFTP is often used to allow diskless hosts to boot from the network. Because TFTP lacks security, tftp is usually limited to transferring files only to or from a certain directory. Early versions of tftp did not impose file transfer restrictions. In particular, versions of SunOS prior to release 4.0 did not restrict file transfer from tftp.

The following procedure can be used to test a system's version of tftp for security problems [GS91]:

tftp localhost
tftp> get /etc/passwd tmp
Error code 1: File not found
tftp> quit

If tftp either hangs with no message or does not respond with ``File not found'' and instead transfers the file, tftp should be replaced with a current version.

John Barkley
Fri Oct 7 16:17:21 EDT 1994