7.0.0 beta (build 281) bug: TFTP cannot bind to port 69

[atomik]

Hi all,

I'm trying SecureCRT for Mac 7.0.0 build 281 and noticed that the new TFTP server won't work.

If enabled, every time I start an ssh connection it say me:

"The TFTP server could not bind to port 69 for the following reason: Permission denied"


Seems there is something wrong with permission when it call the bind() function with a low port like this.

[bgagnon]

Hello atomik,

The port 69 binding issue is something that you will need to resolve on your machine. Mac OS X restricts access to all ports below 1025. I am not sure what steps you will need to take to enable your account to access that port.

Additionally, it is UDP port 69 rather than TCP port 69, so there may be other hurdles you have to clear to get this working.

I suspect that somehow you are going to have to give your account root level access or login as root.

Does this help you find a solution to the OS restriction?

I have added this thread to a feature request in our product enhancement database for a mechanism to elevate the user's credentials when the TFTP server is being used. Should a future release of SecureCRT include this feature, notification will be posted here.

If you prefer direct e-mail notification, contact support@vandyke.com and include "Feature Request - Forum Thread #10456" in the subject line.

[toloughlin]

First off, I'm a fan of you guys, as my join date + most non-Vandyke employee posts show, however ... this feature should be pulled from the Mac version because of how out-of-the-flow, using it actually is.

First off, fire up "terminal" (which SecureCRT is most likely replacing).

Then,
#sudo /Applications/SecureCRT.app/Contents/MacOS/SecureCRT
<enter password>

Now, it'll spawn the app with 'root' perms ... as root is disabled by default.

With the sudo method, comes an empty "Config" folder (/var/private/...), so your sessions, button bars, key maps, color schemes & whatnot, are unavailable.

With your new session configured & TFTP checked-off, connect to the new session. At that point, you can netstat -ln | grep 69 and see the listener.

MBP:~ Tom$ netstat -ln | grep 69
udp4 0 0 *.69 *.*

Support -- if there's an easier way, please let me know, else this option will stay off & I'll keep with my free TFTP server app.

[bgagnon]

Hi Tom,

Quote:

First off, I'm a fan of you guys, as my join date + most non-Vandyke employee posts show,

Known, and appreciated.

I have added this thread to a feature request in our product enhancement database to automatically elevate the user to root using credentials from the Mac Keychain (when running the TFTP server on Mac/Linux platforms). Should a future release of SecureCRT include this feature, notification will be posted here.

If you prefer direct e-mail notification, contact support@vandyke.com and include "Feature Request - Forum Thread #10456" in the subject line.

Quote:

Support -- if there's an easier way, please let me know, else this option will stay off & I'll keep with my free TFTP server app.

Do you know the mechanism the free TFTP server app uses to perform elevation?

[wilddev]

Any news on when this feature is going to be fixed? It's been over a year and we're now on the beta of 7.2 and it still doesn't work properly.

Thanks

[bgagnon]

Hello wilddev,

The title of the thread is a bit misleading as this is a feature request not a bug.

Mac OS X restricts access to all ports below 1025 so the current implementation of the TFTP server on the Mac operating system may require the user to elevate privileges to root in order for the TFTP server to listen on UDP port 69.

Feature requests are typically prioritized based on a number of factors including, but not limited to, the number of requests and the amount of implementation work required. Should a future release of SecureCRT include this feature, notification will be posted here.

If you prefer direct e-mail notification, contact support@vandyke.com and include "Feature Request - Forum Thread #10456" in the subject line.

[wilddev]

It's not true this is a feature request. The feature, TFTP support is already present in the product. It just doesn't work properly unless you run as root which no one does in OS X. This is a _bug_ pure and simple.

It is disingenuous for Van Dyke to claim this is a valid feature of the existing Mac OS X client when it doesn't work for normal user operation. As the original poster said, it should be either removed as a feature until it's made to work right, or preferably fixed so it works properly.

I'm not a programmer, so I have no idea how it should work, but there are literally dozens of programs on my Mac that know how to elevate privileges enough to use a reserved port. Hell I can even run the OS X server on my system which has www, ftp, dns, dhcp and others that use low ports without issue. And I _don't_ have to login as root to run them either.

Come on, this is an open bug with the program for a very long time. Claiming it's a feature enhancement is really just passing the buck.

[Maureen]

wilddev,

You are correct that many programs on the Mac are able to access low ports without requiring the user to elevate privileges. This is because the Mac allows daemons (launchd) to access privileged ports without being privileged. SecureCRT cannot do this because it's not a daemon.

When we looked into this issue a while back, we thought addressing it would require a fairly large development effort. We have a couple of new ideas that might not require such a large development effort. We will be exploring these ideas soon. I will post more information here as soon as we know more.

Maureen

[wilddev]

Thank you a reasoned and reasonable answer. I appreciate it. I will await to hear more news about this from you.

[devrick0]

Has any progress been made on resolving this? We are a Mac shop with a heavy focus on networks. A proper solution/fix would save a lot of work around headaches.

[Maureen]

We implemented something, but the feedback from testers was that it wasn't they were expecting, so we're planning to go back to the drawing board and see if we can implement a different solution.

Maureen

[devrick0]

If you need a tester, feedback, etc., let me know. I have a team willing to devote time and provide feedback. We would love to have this solution built into SecureCRT versus some of the work arounds we are performing today.

[Maureen]

Quote:

Originally Posted by devrick0

If you need a tester, feedback, etc., let me know. I have a team willing to devote time and provide feedback. We would love to have this solution built into SecureCRT versus some of the work arounds we are performing today.

Thanks for the offer. Please send an email to me at Maureen.Jett@vandyke.com so that I can contact you directly.

Maureen

[Maureen]

We have a pre-beta version of SecureCRT for Mac OS X that has a TFTP helper app that automatically prompts for credentials so that it's possible to bind to port 69. If you'd like to try it, please send email to me at Maureen.Jett@vandyke.com.

Maureen

[Maureen]

The ability to start and stop the TFTP server manually as well as options for starting the TFTP server at the global level (instead of at the session level) have been added to a pre-beta version of SecureCRT. If you would be interested in trying it, please send email to me at Maureen.Jett@vandyke.com.

Maureen