Chapter 15 TFTP: Trivial File Transfer Protocol
15.4 Security
Note that the TFTP packets (FIG 15--1) does not provide a user name and password. This is a feature of TFTP (ie, "security holes"). Because TFTP is designed for system boot process, it can not provide a user name and password.
This feature TFTP is used to get a lot of crackers copy U nix password file, and then to guess the user's password. To prevent this type of access, most TFTP server provides an option to limit access to certain files in the directory (U nix systems usually / tftpboot). This directory contains only diskless system files needed at system boot.
On the TFTP server at the other safety, U nix systems usually it's user ID and group ID will not assign any value to real users. This only allows access to files with read or write property.
15.5 Summary
TFTP is a simple protocol for read only memory, only for system boot diskless system. It only uses several message format, a stop and wait protocol.
To allow multiple clients simultaneously system boot, TFTP server must provide some form of concurrency. Because UDP does not provide the only connection between a client and a server (TCP, too), TFTP server by providing a new UDP ports to provide concurrent for each customer. This allows different customer input data packet, then distinguished by the server module according to the UDP port numbers, rather than be distinguished by the server itself.
TFTP protocol does not provide security features. Most expect the implementation of the TFTP server system administrator to limit client access, only allow them to access the boot files necessary.
File Transfer Protocol (FTP) Chapter 27 describes designed for general purpose, high throughput file transfers.
