atftpd

Contents

atftpd

About

advanced TFTP server

Multi-threaded TFTP server implementing all options (option extension and multicast) as specified in RFC1350, RFC2090, RFC2347, RFC2348, RFC2349 and RFC7440. Atftpd also supports the multicast protocol known as mtftp, defined in the PXE specification. The server is socket activated by default but supports being started from inetd(8) as well as in daemon mode using init scripts.

Installation

Install atftpd server component

   1 apt install atftpd

You may also want to install the client to test it

   1 apt install atftp

Configure

Create a group tftp

   1 addgroup --system tftp

Add you user to the group

   1 adduser tobias tftp

Create the directory to be served and set the SGID bit, to ensure all files and directories created below this directory belong to group tftp. Nobody may view and enter the directory but is not allowed to write to the tftp root directory.

   1 install -o root -g tftp -m 2775 -d /srv/tftp

Add a writable sub-directory below /srv/tftpd

   1 install -o root -g tftp -m 2777 -d /srv/tftp/inbound

Defaults

/etc/default/atftpd

   1 USE_INETD=true
   2 # OPTIONS below are used with systemd and init script
   3 OPTIONS="--port 69 --tftpd-timeout 300 --retry-timeout 5 --mcast-port 1758 --mcast-addr 239.239.239.0-255 --mcast-ttl 1 --maxthread 100 --verbose=5 /srv/tftp"

Logging

By default atftpd logs to syslog

   1 tail -f /var/log/daemon.log | grep atftpd

If you are having trouble change the severity to --verbose=7 and restart the service. This is very helpful!

Systemd configuration

By default atftpd is activated by a socket.

/usr/lib/systemd/system/atftpd.socket

   1 [Unit]
   2 Description=Advanced TFTP Server activation socket
   3 
   4 [Socket]
   5 ListenDatagram=69
   6 
   7 [Install]
   8 WantedBy=sockets.target

/usr/lib/systemd/system/atftpd.service

   1 [Unit]
   2 Description=Advanced TFTP Server
   3 Requires=atftpd.socket
   4 Documentation=man:in.tftpd
   5 
   6 [Service]
   7 EnvironmentFile=/etc/default/atftpd
   8 ExecStart=/usr/sbin/in.tftpd $OPTIONS
   9 StandardInput=socket
  10 DynamicUser=yes
  11 
  12 [Install]
  13 Also=atftpd.socket

The flag DynamicUser=yes implies some rigorous constraints to the service disallowing writes to the served directory. Please see:
man 5 systemd.exec

Following Flags are implied:

RemoveIPC=yes
ProtectHome=read-only
NoNewPrivileges=yes
RestrictSUIDSGID=yes
ProtectSystem=strict

To allow writing create an systemd override
/etc/systemd/system/atftpd.service.d/override.conf
using
systemctl edit atftpd.service

   1 [Service]
   2 ReadWritePaths=/srv/tftp

RemoveIPC=yes

ProtectHome=read-only

NoNewPrivileges=yes

RestrictSUIDSGID=yes

ProtectSystem=strict

The corresponding error looks like this in tftp-hpa

   1 tftp localhost -v
   2 Connected to localhost.localdomain (::1), port 69
   3 tftp> put file.1m
   4 putting file.1m to localhost.localdomain: [netascii]
   5 Error code 2: Access violation
   6 tftp>

The corresponding error looks like this in atftp

   1 atftp --verbose localhost              
   2 Verbose mode on.   
   3 tftp> put /tmp/file.1m                                         
   4 tftp: error received from server <Access violation>
   5 tftp: aborting

Using the client from cli

Create a test file

   1 dd if=/dev/urandom of=/tmp/file.1m bs=1M count=1

atftp

Upload a file with atftp

   1 atftp localhost --verbose --put -l "/tmp/file.1m" -r "/rw/file.1m"
   2 atftp localhost -p -l "/tmp/file.1m" -r "/rw/file.1m"

Download a file with atftp

   1 atftp localhost --verbose --get -l "/tmp/file.1m_down" -r "/rw/file.1m"
   2 atftp localhost -g -l "/tmp/file.1m_down" -r "/rw/file.1m"

tftp-hpa

Upload a file with tftp-hpa

   1 tftp localhost -v -c put "/tmp/file.1m" "/rw/file.1m"

Download a file with tftp-hpa

   1 tftp localhost -v -c get "/rw/file.1m" "/tmp/file.1m_down"

Protocols

Technologies

Configurations

Services

Misc

Navigation