Thanks goes to the following:
Simon Greaves, censjg_at_caledonia.hw.ac.uk
Martyn Johnson, maj_at_cl.cam.ac.uk
Jon Buchanan, Jonathan.Buchanan_at_ska.com
Andrew Brennan, brennan_at_hal.hahnemann.ed
Sean, swatson_at_ultrix6.cs.csubak.edu
My original question was:
Hello OSF/1 managers,
I have configured a DEC 3000/500 to store the configuration file of
a CISCO 4000 router using tftp. I put the configuration file of the
router into a directory /tftpboot. The download of this configuration
file works fine, if this file is readable for all users.
But I don't want this file to be public readable, because it contains passwords
of my router. In the man pages I read, that Icontains passwords
of my router. In the man pages I read, that I can use a file /etc/tftptab,
where I can specify files, the tftpd can download, even if they are not
public readable. But I don't know the syntax of entries in this file.
Only inserting the name of the routers configuration file doesn't work.
Does anyone ame of the routers configuration file doesn't work.
Does anyone have a template of a /etc/tftptab file?
I got the following answers:
>From Simon Greaves:
I don't have the tftptab format, but another possibility would be to install
tcp wrappers which would allow you to control access to the tftp server on a
per host/ld allow you to control access to the tftp server on a
per host/IP address basis (assuming you run tftpd from inetd).
Tcp wrappers are dead easy to use and I think a good idea for many inetd
services. Mail me if you want more info.
Simon Greaves
censjg_at_caledonia.hw.ac.uk
DDI: +44 (0)131 451 3265 Fax: +aledonia.hw.ac.uk
DDI: +44 (0)131 451 3265 Fax: +44 (0)131 451 3261
From Martyn Johnson:
> Only inserting the name of the routers configuration file doesn't work.
This works for me. Are you sure that the uid that tftp is running under (see
/etc/inetd.conf for that) has access to the file?
> it contains passwords of my router
Can't you turn on password encryption in the router? I have
service password-encryption
in the router configuration file, and the passwords come out looking like
enable password 7 130F5419926F6E559A
Martyn Johnson maj_at_cl.cam.ac.uk
University of Cambridge Computer Lab
Cambridge UK
>From Jon Buchanan:
Hello Andreas,
Have you tried just a list of filenames, one per line? These should
probably be pure filenames without directory paths as the directory paths
should be listed in inetd.conf.
Regards,
Jon Buchanan, Zuerich, Switzerland
[ Jonathan.Buchanan_at_ska.com ]
>From Andrew Brennan, Lackey-at-large:
> ... The download of this configuration
> file works fine, if this file is readable for all users. But I don't want
> this file to be public readable, because it contains passwords
> of my router. In the man pages I read, that I can use a file /etc/tftptab,
> where I can specify files, the tftpd can download, even if they are not
> public readable. But I don't know the syntax of entries in this file.
> Only inserting the name of the routers configuration file doesn't work.
> Does anyone have a template of a /etc/tftptab file?
>
The way I understand it, TFTP does absolutely *no* system/user checking
to see who is/isn't permitted to read system/user checking
to see who is/isn't permitted to read files. I believe the purpose of
the /etc/tftptab is not to specify files that only certain sites can
read - but instead to specify files *outside* the /tftpboot directory
that you also wish to make available via TFTP. If this is the case,
all files accessible via TFTP are always publicly readable ...
If you have the same cisco software we're using, there's a function to
keep only encrypted passwords in the configuration file. It's not the
most secure approach, but you could slow up anyone who might want to
dump your cisco. Combine it with blocking the TFTP port on an Internet
router and you should be able to keep most of those outside - outside.
andrew. (brennan_at_hal.hahnemann.edu)
>From swatson_at_ultrix6.cs.csubak.edu:
Andreas,
Be careful! To quote the man page for tftp:
:: Due to the lack of authentication information, tftpd will allow only
:: publicly readable files to be accessed. Files can be written only if they
:: already exist and are publicly writable. Note that this extends the con-
:: cept of ``public'' to include all users on all hosts that can
:: cept of ``public'' to include all users on all hosts that can be reached
:: through the network; this may not be appropriate on all systems, and
:: its implication should be considered before enabling tftp service.
Anyone on the network can tftp into your Alpha and get the file (assuming they
know the filename). I would make sure that the pathname was not predictable
(assuming your router lets you do this) and that the directory it was
in was not readable (although it needs to be executable). In other
words I would put the configuration in
"/tftpboot/private/password/router1.conf" and make sure
/tftpboot/private had permissions drwx--x--x and that "password" was
replaced with a real passwos drwx--x--x and that "password" was
replaced with a real password like string. This will make the "password"
needed to get at the config file from your Alpha via "more" or from the
network (including your Alpha) via "tftp".
By the way, I read the man page as just a newline delimited list of
files/direcotries for whige as just a newline delimited list of
files/direcotries for which TFTP should override its normal security
precautions. (But I haven't tested it.) You should probably just list your
files that you want to allow access to despite world readability (one file
per line). Once again, I think this file is designed to solile
per line). Once again, I think this file is designed to solve different
problems and haven't tested/used it.
Sean
I'd not get tftpd to download file which are not public readable (Perhaps it
is not possible, even if the OSF/1 man pages say so).
To get more security for my system
the OSF/1 man pages say so).
To get more security for my system
1. i enabled password encryption on my cisco router (see hint of Martyn Johnson)
2. i installed tcp wrappers (see hint of Simon Greaves)
3. i put the configuration file in "/tftpboot/private/password/router1.conf"
and set the permissions of /tftpboot/prassword/router1.conf"
and set the permissions of /tftpboot/private to drwx--x--x (see hint of
Sean)
Many thanks to the osf-managers!!
Bye, Andreas
-----------------------------------------------------------------
Andreas Bungert
University of Kaiserslautern (Germany)
Department of Electrical Engineering
Institute for Digital Systems
bungert_at_rhrk.uni-kl.de
-----------------------------------------------------------------
Received on Wed Sep 20 1995 - 09:44:49 NZST