• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 486
  • Last Modified:

TFTP & an Authentication List

I have a need for setting up a TFTP server that authenticates devices as to if they should have access to files or not. It's possible that this could be done by Mac Address, although many of these devices may be connected to the TFTP server via the internet, so I'm not sure if the Mac Address would make it in the packets that far? Anyway, if anyone knows of a TFTP server that can do something like this, it would be greatly appreciated. I'm stuck in a spot where I would love to use FTP but the products we're pushing out do not support it.
0
ivrusa
Asked:
ivrusa
  • 2
  • 2
1 Solution
 
noctotCommented:
  TFTP has no support for what you are talking about. There is no authentication in TFTP. You can set up multiple TFTP servers and put access lists in front of them but then you would need to know the clients' IPs which would have to be static. You could also use the old "security through obscurity" method. If you don't want someone downloading a file just don't give them the filename. There is no file list functionality in TFTP so you have to already know the exact path.
   Can you be more specific about what it is you are trying to accomplish? This whole situation sounds weird.
0
 
Don JohnstonInstructorCommented:
As noctot mentions, this is not possible with TFTP. That is the big difference between FTP and TFTP. Use FTP if you require authentication and TFTP if you don't.

-Don
0
 
ivrusaAuthor Commented:
We are a reseller of a VoIP Gateway. We have been given the opportunity to take over all Tier 1 & 2 support for this company, and therefore the ability to manage the maintenance and right to upgrade the gateways. Because of this, I have been asked to put together the software/equipment that would allow us to control who has the right to upgrade the firmware of these devices.
If I simply make a public TFTP server, the customers could renew their maintenance on one device, get access to the TFTP server, and upgrade ALL of their gateways, killing our overhead costs that we need to recoup in the maintenance contracts. So, I'm looking for a way to control the upgrade on a per device basis. I was hoping that there might be a way I could enter Mac Addresses in a TFTP server thereby eliminating people cheating the system, but it sounds like I can't.
FTP would give me authentication, but the problem with that model is that people could still have their devices login multiple times. *Maybe* I can find an FTP server that I could create an account in AND limit it to 1 login, but then I still might incur a slew of overhead if their connection drops, etc.
I apologize for not being clear in the beginning, as this site is primarily aimed at IT infrastractures, I was concerned that our company's service model might not fit the bill with most of the participants here.
0
 
noctotCommented:
  Then I definitely think what you are trying to do is impossible. You are trying to charge end-users to upgrade each individual gateway. The problem is, once they download the file once they can use it as many times as they wish. You could definitely get an FTP server to function the way you describe but that wouldn't help either. As soon as they get access to the file once they can put it on all of their gateways.
   If you know how many gateways each customer has then you can charge them for access to the file and base that charge on th number of gateways. But be very careful about charging for firmware upgrades. Product warranty gives consumers a legal right to any changes in firmware that fix bugs. You are required to provide them with fully-functional firmware. However, you can charge for firmware that just introduces new features.
0
 
ivrusaAuthor Commented:
The customer has rights for 1 year to all products updates based on the warranty. After which they are required to purchase a renewal on a yearly basis (it's small) which also includes 24/7 support, configuration assistance, etc. The gateways have their own TFTP/FTP Get function that allows them to physically grab a file, so we were thinking that if there was a way to do it under a MAC Address we could control the gateways to some degree, but yes, if we open it up to not using Mac Addresses, then there is no possibility to limit it to only the gateway being able to connect, and then the customer can use a standard FTP client and grab the file, thus being able to distribute it across a number of gateways they have.
Unless we create something proprietary, there is no way to do this. DOH!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now