tftpd Daemon

Purpose

Provides the server function for the Trivial File Transfer Protocol.

Syntax

/usr/sbin/tftpd-c ] [  -n ] [  -p ] [  -v ] [  -t ] [  -s ] [  -x ] [  -z ] [ -d Directory] [  -r  Option]

Description

Note: The tftpd daemon is normally started by the inetd daemon. It can also be controlled from the command line, using SRC commands.

The /usr/sbin/tftpd daemon runs the Trivial File Transfer Protocol (TFTP) server. Files sent using TFTP can be found in the directory specified by the full path name given on the tftp or utftp command line.

Note: The tftp command, utftp command, and tftpd server are not available when the auditing system is in use. For more information, see TCP/IP Security, the Auditing overview, and the audit command.

Changes to the tftpd daemon can be made using the System Management Interface Tool (SMIT) or System Resource Controller (SRC), by editing the /etc/inetd.conf or /etc/services file. The tftpd daemon is started by default when it is uncommented in the /etc/inetd.conf file.

The inetd daemon get its information from the /etc/inetd.conf file and the /etc/services file.

After changing the /etc/inetd.conf or /etc/services file, run the refresh -s inetd or kill -1 InetdPID command to inform the inetd daemon of the changes to its configuration file.

The tftpd server should have a user ID with the least privileges possible. The nobody ID allows the least permissions, and is the default user ID.

The tftpd daemon should be controlled using the System Management Interface Tool (SMIT) or by changing the /etc/inetd.conf file. Entering tftpd at the command line is not recommended.

With AIX® 4.3.3, the tftpd server has become a multithreaded application. Another major change with AIX 5.3 is the server's ability to handle option negotiation (RFC2349). This new capability allows a client to negotiate a file size to be transferred. It also allows for a timeout and a larger block size. Block size (blksize) is negotiated for the read requests (RRQ) only. As a result, the boot time performance of diskless nodes using TFTP can improve significantly.

The Transfer Size option (tsize) negotiation for both read and write requests allows the file size to be known before the transfer, resulting in an error message if allocation exceeded before the transfer started. The timeout option (timeout) allows for the client and the server to negotiate a retransmit timeout (between 1 and 255 seconds). The tftp client must also support RFC2349 for the option negotiation to take place.

tftpaccess.ctl File

The /etc/tftpaccess.ctl file is searched for lines that start with allow: or deny:. Other lines are ignored. If the file doesn't exist, access is allowed. The allowed directories and files minus the denied directories and files can be accessed. For example, the /usr directory might be allowed and the /usr/ucb directory might be denied. This means that any directory or file in the /usr directory, except the /usr/ucb directory, can be accessed. The entries in the /etc/tftpaccess.ctl file must be absolute path names.

The /etc/tftpaccess.ctl file should be write-only by the root user and readable by all groups and others (that is, owned by root with permissions of 644). The user nobody must be able to read the /etc/tftpaccess.ctl file. Otherwise, the tftpd daemon is not able to recognize the existence of the file and allows access to the entire system. For more information, refer to the sample tftpaccess.ctl file, which resides in the /usr/samples/tcpip directory.

The search algorithm assumes that the local path name used in the tftp command is an absolute path name. It searches the /etc/tftpaccess.ctl file looking for allow:/. It repeatedly searches for allowed path names with each partial path name constructed by adding the next component from the file path name. The longest path name matched is the one allowed. It then does the same with denied names, starting with the longest allowed path name matched.

For example, if the file path name were /a/b/c and the /etc/tftpaccess.ctl file contained allow:/a/b and deny:/a, one allowed match would be made (/a/b) and no denied match starting with /a/b would be made, and access would be allowed.

If the /etc/tftpaccess.ctl file contained allow:/a and deny:/a/b, one allowed match would be made (/a) and one denied match starting with /a (/a/b) would be made, and access would be denied. If the /etc/tftpaccess.ctl file contained allow:/a/b and also contained deny:/a/b, access would be denied because allowed names are searched first.

Manipulating the tftpd Daemon with the System Resource Controller

The tftpd daemon is a subserver of the inetd daemon, which is a subsystem of the System Resource Controller (SRC). The tftpd daemon is a member of the tcpip SRC subsystem group. This daemon is enabled when it is uncommented in the /etc/inetd.conf file and can be manipulated by the following SRC commands:

Item Description
startsrc Starts a subsystem, group of subsystems, or a subserver.
stopsrc Stops a subsystem, group of subsystems, or a subserver.
lssrc Gets the status of a subsystem, group of subsystems, or a subserver.

Flags

Item Description
-c Specifies the maximum number of concurrent threads per process, excluding the initial thread.
-d Directory Specifies default destination directory. The Directory specified will be used as the home directory for storing files only. This default directory will be used only if a full pathname is not specified. The default directory for retrieving files is still /tftpboot.
-i Logs the IP address of the calling machine with error messages.
-n Allows the remote user to create files on your machine. Remote users are only allowed to read files with read permission for other if this flag is not specified.
-p Specifies the port number for the incoming request.
-r Option Specifies a tftp option negotiation to disable. Multiple -r flags can be used. For example, the following line in the /etc/inetd.conf file disables option negotiation for tsize and blksize:
   tftp  dgram  udp6  SRC  nobody  /usr/sbin/tftpd tftpd -n -r tsize -r blksize
-s Turns on socket-level debugging.
-t Specifies the timeout value for datagrams.
-v Logs information messages when any file is successfully transferred by the tftpd daemon. This logging keeps track of who is remotely transferring files to and from the system with the tftpd daemon.
-x Specifies the maximum of timeouts waiting for a datagram.
-z Specifies the maximum allowed segment size for transfers.

Examples

Note: The arguments for the tftpd daemon can be specified by using SMIT or by editing the /etc/inetd.conf file.
  1. To start the tftpd daemon, enter the following:

    startsrc  -t tftp

    This command starts the tftpd subserver.
  2. To stop the tftpd daemon normally, enter the following:

    stopsrc  -t tftp

    This command allows all pending connections to start and existing connections to complete but prevents new connections from starting.
  3. To force stop the tftpd daemon and all tftpd connections, enter the following:

    stopsrc -f -t tftp

    This command terminates all pending connections and existing connections immediately.
  4. To display a short status report about the tftpd daemon, enter the following:

    lssrc -t tftp

    This command returns the daemon's name, process ID, and state (active or inactive).