TFTP & an Authentication List

Posted on 2006-04-26
Last Modified: 2012-08-14
I have a need for setting up a TFTP server that authenticates devices as to if they should have access to files or not. It's possible that this could be done by Mac Address, although many of these devices may be connected to the TFTP server via the internet, so I'm not sure if the Mac Address would make it in the packets that far? Anyway, if anyone knows of a TFTP server that can do something like this, it would be greatly appreciated. I'm stuck in a spot where I would love to use FTP but the products we're pushing out do not support it.
Question by:ivrusa
    LVL 3

    Expert Comment

      TFTP has no support for what you are talking about. There is no authentication in TFTP. You can set up multiple TFTP servers and put access lists in front of them but then you would need to know the clients' IPs which would have to be static. You could also use the old "security through obscurity" method. If you don't want someone downloading a file just don't give them the filename. There is no file list functionality in TFTP so you have to already know the exact path.
       Can you be more specific about what it is you are trying to accomplish? This whole situation sounds weird.
    LVL 50

    Expert Comment

    by:Don Johnston
    As noctot mentions, this is not possible with TFTP. That is the big difference between FTP and TFTP. Use FTP if you require authentication and TFTP if you don't.


    Author Comment

    We are a reseller of a VoIP Gateway. We have been given the opportunity to take over all Tier 1 & 2 support for this company, and therefore the ability to manage the maintenance and right to upgrade the gateways. Because of this, I have been asked to put together the software/equipment that would allow us to control who has the right to upgrade the firmware of these devices.
    If I simply make a public TFTP server, the customers could renew their maintenance on one device, get access to the TFTP server, and upgrade ALL of their gateways, killing our overhead costs that we need to recoup in the maintenance contracts. So, I'm looking for a way to control the upgrade on a per device basis. I was hoping that there might be a way I could enter Mac Addresses in a TFTP server thereby eliminating people cheating the system, but it sounds like I can't.
    FTP would give me authentication, but the problem with that model is that people could still have their devices login multiple times. *Maybe* I can find an FTP server that I could create an account in AND limit it to 1 login, but then I still might incur a slew of overhead if their connection drops, etc.
    I apologize for not being clear in the beginning, as this site is primarily aimed at IT infrastractures, I was concerned that our company's service model might not fit the bill with most of the participants here.
    LVL 3

    Accepted Solution

      Then I definitely think what you are trying to do is impossible. You are trying to charge end-users to upgrade each individual gateway. The problem is, once they download the file once they can use it as many times as they wish. You could definitely get an FTP server to function the way you describe but that wouldn't help either. As soon as they get access to the file once they can put it on all of their gateways.
       If you know how many gateways each customer has then you can charge them for access to the file and base that charge on th number of gateways. But be very careful about charging for firmware upgrades. Product warranty gives consumers a legal right to any changes in firmware that fix bugs. You are required to provide them with fully-functional firmware. However, you can charge for firmware that just introduces new features.

    Author Comment

    The customer has rights for 1 year to all products updates based on the warranty. After which they are required to purchase a renewal on a yearly basis (it's small) which also includes 24/7 support, configuration assistance, etc. The gateways have their own TFTP/FTP Get function that allows them to physically grab a file, so we were thinking that if there was a way to do it under a MAC Address we could control the gateways to some degree, but yes, if we open it up to not using Mac Addresses, then there is no possibility to limit it to only the gateway being able to connect, and then the customer can use a standard FTP client and grab the file, thus being able to distribute it across a number of gateways they have.
    Unless we create something proprietary, there is no way to do this. DOH!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
    In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now