TFTP, or Trivial File Transfer Protocol, allows users to transfer files between systems using the UDP protocol. By default, it uses UDP port 69. The TFTP protocol is extensively used to support remote booting of diskless devices. So, setting up a TFTP server on your own local network can be an interesting way to do Fedora installations, or other diskless operations.
TFTP can only read and write files to or from a remote system. It doesn’t have the capability to list files or make any changes on the remote server. There are also no provisions for user authentication. Because of security implications and the lack of advanced features, TFTP is generally only used on a local area network (LAN).
TFTP server installation
The first thing you will need to do is install the TFTP client and server packages:
dnf install tftp-server tftp -y
This creates a tftp service and socket file for systemd under /usr/lib/systemd/system.
/usr/lib/systemd/system/tftp.service /usr/lib/systemd/system/tftp.socket
Next, copy and rename these files to /etc/systemd/system:
cp /usr/lib/systemd/system/tftp.service /etc/systemd/system/tftp-server.service cp /usr/lib/systemd/system/tftp.socket /etc/systemd/system/tftp-server.socket
Making local changes
You need to edit these files from the new location after you’ve copied and renamed them, to add some additional parameters. Here is what the tftp-server.service file initially looks like:
[Unit] Description=Tftp Server Requires=tftp.socket Documentation=man:in.tftpd [Service] ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot StandardInput=socket [Install] Also=tftp.socket
Make the following changes to the [Unit] section:
Requires=tftp-server.socket
Make the following changes to the ExecStart line:
ExecStart=/usr/sbin/in.tftpd -c -p -s /var/lib/tftpboot
Here are what the options mean:
- The -c option allows new files to be created.
- The -p option is used to have no additional permissions checks performed above the normal system-provided access controls.
- The -s option is recommended for security as well as compatibility with some boot ROMs which cannot be easily made to include a directory name in its request.
The default upload/download location for transferring the files is /var/lib/tftpboot.
Next, make the following changes to the [Install] section:
[Install] WantedBy=multi-user.target Also=tftp-server.socket
Don’t forget to save your changes!
Here is the completed /etc/systemd/system/tftp-server.service file:
[Unit] Description=Tftp Server Requires=tftp-server.socket Documentation=man:in.tftpd [Service] ExecStart=/usr/sbin/in.tftpd -c -p -s /var/lib/tftpboot StandardInput=socket [Install] WantedBy=multi-user.target Also=tftp-server.socket
Starting the TFTP server
Reload the systemd daemon:
systemctl daemon-reload
Now start and enable the server:
systemctl enable --now tftp-server
To change the permissions of the TFTP server to allow upload and download functionality, use this command. Note TFTP is an inherently insecure protocol, so this may not be advised on a network you share with other people.
chmod 777 /var/lib/tftpboot
Configure your firewall to allow TFTP traffic:
firewall-cmd --add-service=tftp --perm firewall-cmd --reload
Client Configuration
Install the TFTP client:
yum install tftp -y
Run the tftp command to connect to the TFTP server. Here is an example that enables the verbose option:
[client@thinclient:~ ]$ tftp 192.168.1.164 tftp> verbose Verbose mode on. tftp> get server.logs getting from 192.168.1.164:server.logs to server.logs [netascii] Received 7 bytes in 0.0 seconds [inf bits/sec] tftp> quit [client@thinclient:~ ]$
Remember, TFTP does not have the ability to list file names. So you’ll need to know the file name before running the get command to download any files.
Photo by Laika Notebooks on Unsplash.
Edgar Hoch
What crazy description for tftp configuration do you release into the world? Why should anyone be allowed to upload any files to the server without any restrictions? What application is there that requires this and you can’t use a more secure method (with authentication and authorization)?
You don’t need this to boot devices over the network. The only thing you need to do, apart from installing the packages, is to enable the socket with “systemctl enable -now tftpd.socket” and place the files needed for booting over the network in /var/lib/tftpboot/ or a subdirectory in it, preferably as owner and group root and only writeable for root and readable for all.
You should NOT make /var/lib/tftpboot/ writeable for all. You should NOT use the -c option. You don’t need to make a copy of tftpd.server and tftpd.socket in /etc/systemd/system/; if you want to make local changes, create a directory /etc/systemd/system/tftpd.server.d/ and create a file in it with the extension “.conf”, where you just enter the change – see “man systemd.unit”. This could be used, for example, to make changes to the options when calling the service:
[Service]
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot
Do NOT enter “WantedBy=multi-user.target”! You also don’t activate the tftpd.service, but tftpd.socket (see above). This has the advantage that the service only runs and occupies resources when it is needed (and after some time of inactivity (default 15 minutes) it stops itself).
Why should someone use the tftp client to download a file like server.logs (as in your example)? Somebody has to put the file there first.
TFTP is only needed for booting devices over the network, usually with PXE – to load a boot kernel, grub, or similar. Everything else the device should do via other services.
People should only use the tftp client to test the connection. Upload or download files to a server should only be done via secure services, e.g. ssh / scp / sftp / rsync via ssh or via network file systems.
Curt Warfield
Hi Edgar,
Thank-you for taking the time to bring up some valid concerns.
The intent of the article was not meant to try to ask anyone to embrace tftp or to even suggest it should be anyone’s first choice. I would not expect any enterprise environments to ever use this in production.
This article was written as more of a way to just show how to configure a legacy application such as this.
It was even noted in the article that it is not a secure method of uploading files:
“There are also no provisions for user authentication. Because of security implications and the lack of advanced features, TFTP is generally only used on a local area network (LAN). ”
“Note TFTP is an inherently insecure protocol, so this may not be advised on a network you share with other people.”
But I have come across occasions where I’ve been asked how to set this up even with my recommendation to use a more secure method.
stee
I agree with Edgar, the config here seems unnecessarily complicated. It would have been better to divide this article into two parts, first the default config to get up and running and then how to enable uploading as a “bonus”. Other articles on here have done similar in the past.
Felix Kaechele
At times where I just quickly require an ad-hoc TFTP server to host some firmware files I’m pushing to devices I use tftpy:
dnf install python2-tftpy
sudo firewall-cmd –add-service=tftp
sudo tftpy_server.py -r .
You can also change the path you’d like to share via TFTP by replacing the . after the -r parameter.
When done Ctrl-C out of the TFTPy server and close the port again:
sudo firewall-cmd –remove-service=tftp
Hint: If you’re on Rawhide (or for that matter: after the release of Fedora 32) you’d have to use python3-tftpy and tftpy_server3.py respectively. The Python 3 capable update was not pushed to earlier releases.
Einer
Folks,
There are reasons you would still use a TFTP server (also know as a server providing bootp services) …… an example is booting and running a diskless Unix/Linux/some network routers and switches/Xterms ……… basically a networked machine that has no hard disk or other local OS storage device ………
I have even used TFTP boot to boot and run other “Thin Client” machines running Windows. So, not as “Obsolete” as you might think 🙂
Good security practice for this kind of a setup is:
1) Make sure your TFTP server is read only
2) Make sure the segment/VLAN the TFTP server is on is properly firewalled from any other network
3) Make sure your site’s Physical security/access is well controlled
…AND ….. IF you can find another way, client machines that you can actually load the base OS on, do it 🙂
Einer
Justin
Don’t forget, Cisco IP phones use a TFTP server as well. I am not a telephony administrator, so I don’t know if the enterprise that I am with uses this specific program, but the hosts themselves do use the TFTP protocol to get an OS.
If you consider how many desktop phones are on the campus of a large enterprise, that is a considerable amount of hosts using the TFTP protocol. It is still relevant.
Quine
The tftp client won’t work as you describe with the standard firewall rules on a Fedora system, due to the TFTP protocol’s stateless nature. You’d have to allow traffic inbound from the TFTP server on the client’s firewall.
Mehdi
Interesting. Never heard of TFTP before.
GW
For me it is much more common to use tftp to backup Cisco router and switch config files as well as to store Cable Modem config files, so not much booting. However is is imperative in backing up router and switch config files the create option be available for writing the file onto the tftpboot directory. Generally in a tftp config spec there is some content regarding how to spin up tftp as a no-privledged entity using nobody or similar without a login shell and insuring the file ownership matches the tftpboot file.
And I was surprised recently when I was not able to use tftp localhost in another OS but had to use the local IP address for server testing.
Antti N.
I’ve been unable to get tftp-server to bind to 255.255.255.255:69. It’s mandatory for flashing Cisco devices, which also happens to be one of the very few use cases I have. Tftpd-hpa handles this without any issue and Tftpd32/64 on Windows does it as well.
r44
How make mastodon server
e-mail server but tftp?
Mark
In the past apart from kickstart installs my main use for network booting was having a config file that instead of starting a kickstart would boot into ‘linux rescue’ mode, so when a machine became unbootable it was just a case of powering on the kickstart server and rebooting the failed machine to get it into rescue mode; saved hours of trying to figure out where I last put the install DVD and eventually downloading another just to get into rescue mode.
Looks like I last needed that in F16 however, and quickly googling ‘rescue mode’ found only documentation for F16 and F17, I hope F30 still has it.
Jasper Hartline
I used tftpd to load up 10 nodes all diskless.. served them up a Kerrighed clusterring kernel and joined them all so we had a 10 node thin client clustering network.
The process migration worked just fine with Gigabit ethernet.