HPE Community
Operating System - HP-UX
1834448 Members
2322 Online
110067 Solutions
New Discussion

Ignite-UX

 
Paul McCleary
Honored Contributor

‎08-07-2001 04:10 AM

‎08-07-2001 04:10 AM

Ignite-UX

Does anyone understand the role that tftp plays when it is used to install a target server??

i.e. Does the IUX Server need to have tftp enabled or is it using tftp on the target host PDC?

We can't use Ignite until we're sure of the role of tftp because of the security implications it poses.

Thanks, Paul
0 Kudos
Reply
7 REPLIES 7
Carlos Fernandez Riera
Honored Contributor

‎08-07-2001 04:54 AM

‎08-07-2001 04:54 AM

Re: Ignite-UX


From man instl_bootd:

-b boot-file Change the boot file path from the default
/opt/ignite/boot/boot_lif to boot-file. boot-file
is a Logical Interchange Format (LIF) volume that
the client uses to access other boot utilities
(see lif(4), hpux(1M) and isl(1M)). boot-file
must be accessible using the tftp service (see


.
.
.
.

In addition to the services provided by instl_bootd, the tftp service
must also be configured on the server system, and boot-file must be
accessible through the tftp service (see tftp(1) and tftpd(1M)).


See man instl_bootd.

unsupported
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎08-07-2001 04:56 AM

‎08-07-2001 04:56 AM

Re: Ignite-UX

Hi Paul:

Ignite uses 'tftp' on the Ignite server to transfer some of its files. During the installation of Ignite, /etc/inetd.conf is setup with the minimum directories necessary for client access. These are /opt/ignite and /var/opt/ignite.

...JRF...
0 Kudos
Reply
Tim D Fulford
Honored Contributor

‎08-07-2001 04:58 AM

‎08-07-2001 04:58 AM

Re: Ignite-UX

HI

I just looked at the hp docs & it says

tftp -- Ignite-UX will transfer some of its files using tftp. The minimum directories needed by tftp are set up in the /etc/inetd.conf file. Others may need to be added if you place configuration scripts in non-standard locations

The full doc is http://docs.hp.com/hpux/onlinedocs/B2355-90704/B2355-90704.html

My understanding is that Ignite-UX needs some tempory IP's to load it's files to. I think it uses these IP's with tftp. Once the basics have been done the installed server can have it's real IP. If this is right you could put a filter with tftp port (69) & the tempoary IP addresses. But you certainly can't disable tftp on the Ignite-UX server.

If this still contradicts your security policy your stuck with tape images!
-
0 Kudos
Reply
Paul McCleary
Honored Contributor

‎08-07-2001 05:26 AM

‎08-07-2001 05:26 AM

Re: Ignite-UX

Thanks alot for your input.

I recognise the directories mentioned like /opt/ignite etc.. and these are NFS exported on the server with anonymous login allowed. So I still don't see where tftp fits in other than grabbing an IP address from bootd? And I'm fairly certain that I didn't enable tftp in inetd.

Paul
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎08-07-2001 07:42 AM

‎08-07-2001 07:42 AM

Re: Ignite-UX

Hi Paul:

With regard to your comment that you are "fairly certain that I didn't enable tftp in inetd". Indeed, you probably didn't. This configuration is done for you when you install Ignite, although no 'tftp' account is placed in /etc/passwd.

...JRF...
0 Kudos
Reply
Paul McCleary
Honored Contributor

‎08-07-2001 08:23 AM

‎08-07-2001 08:23 AM

Re: Ignite-UX

Thanks James - the reason I'm being a bit woolly about settings is that I've only been able to try this out on some test kit and I've not got access to it at the moment.

I remember reading somewhere about having an entry for tftp in passwd. Is it necessary to have an entry and what are the benefits? (We would be using a trusted system).

Paul
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎08-07-2001 08:36 AM

‎08-07-2001 08:36 AM

Re: Ignite-UX

Hi (again) Paul:

Take a look at the man pages for 'tftp (1M)'. You will note that "If any path is specified on the command line, tftpd does not require that a pseudo-user named tftp exist in /etc/passwd. The specified paths control access to files by tftp clients...[however]...Defining the tftp pseudo-user is strongly recommended even when paths are specified, because client access is further restricted to files that can be read and/or written by this pseudo-user."

Hopefully this helps you.

...JRF...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.