Davide Grandis wrote:
Yes, those are good controls on tftp and sound like best practices.
For initial population of /tftpboot though one may want to use -c and then once it is populated remove the -c switch, check it all into cvs/subversion and make sure the permissions are sane.
Let me tell that in some circumstances it could be not that easy create the file in advance. This is usually the case when TFTP-ing in from a network device that has limited capabilities (no SSH client tipically). Anyway, that's an added complexity that is unncesserary in my point of view.
I normally just open 2 windows from wherever I'm working, one ssh'd to the server holding the file copies, one for telnet or ssh to the device. Sometimes this involves a VPN connection and access to a freenx session that already has some of these windows open. For things like editing access lists, I find it much easier to edit on the computer side and tftp the whole thing than to work with the limited set of commands on a router. Likewise for initial router/switch setups, I usually create the file from a copy of something similar, edit it on the server, then tftp it to the startup config and reload. Plus, after tftp'ing any changes back to the server I need the connection there to commit to cvs.