topic Re: tftp security issues in Operating System - HP-UX

tftp security issues

Rajasekhar Raman — Wed, 02 Oct 2002 12:26:09 GMT

Are there any known security risks with tftp. Is it recommended that this service be disabled to have a more secure environment.

Also, does swinstall use tftp to do the remote installations ??

Thanks for you input.

-Shekar Raman

Re: tftp security issues

Donald Kok — Wed, 02 Oct 2002 12:59:53 GMT

Hi Shekar,
Yes tftp is unsecure, and hardly used these days. It is used by ignite to make and perform a net recovery. It is also used by omniback to push an agent. It is used by X-terminals, like Envizex. That's about it AFAIK. normally you can disable the service.

I think swinstall uses nfs as the network protocol , but I am not 100% sure.

Greetzz
Donald

Re: tftp security issues

Sridhar Bhaskarla — Wed, 02 Oct 2002 13:08:52 GMT

Hi Shekar,

tftp is unsecured in the sense it does not prompt for the passwords. So, depending on the tftp server configuration and the permissions on the server, there is a good chance that it can be a target of attack.

One other thing is that it does not encrypt the communication.

swinstall does not use tftp for sure for remote installations. I believe, it uses DCE/RPC.

-Sri