> So what does nncp-exec do? It reads stdin and encrypts it to node bob. It adds metadata, saying it’s requesting the “tarextract” command, and adding two arguments to it (the -C /var/local/backups). It writes this all into a packet file in the transmission queue for bob.
> When bob processes the packet, it spins up /usr/bin/tar -xpf - -C /var/local/backups, piping to it the data that had originally been piped to nncp-exec.
I was with them until seeing that nncp-exec accepts user provided arguments[2], and that just smells like an escape waiting to happen. Since they drew parallels between that and the command= in authorized_keys[2] I looked it up and it doesn't appear that either command= nor its ForceCommand sibling accept user provided arguments
I presume its target audience is where both ends of the connection are "you" (or at least fully trusted)
NNCP peers may be completely untrusted, but in this case don't expose weak nncp-exec command to those peers.
for example these is an `exec: /usr/bin/tar` command exposed for Alice, but not for Eve. For Eve there may be an `exec: /usr/local/bin/file-request-handler-for-untrusted-peers.sh` command available which adds the access control layer.
ForceCommand accepts user parameters except via environment variables.
> So what does nncp-exec do? It reads stdin and encrypts it to node bob. It adds metadata, saying it’s requesting the “tarextract” command, and adding two arguments to it (the -C /var/local/backups). It writes this all into a packet file in the transmission queue for bob.
> When bob processes the packet, it spins up /usr/bin/tar -xpf - -C /var/local/backups, piping to it the data that had originally been piped to nncp-exec.
I was with them until seeing that nncp-exec accepts user provided arguments[2], and that just smells like an escape waiting to happen. Since they drew parallels between that and the command= in authorized_keys[2] I looked it up and it doesn't appear that either command= nor its ForceCommand sibling accept user provided arguments
I presume its target audience is where both ends of the connection are "you" (or at least fully trusted)
1: https://www.complete.org/nncp-concepts/#remote-execution
2: https://manpages.ubuntu.com/manpages/noble/man8/sshd.8.html#...
NNCP peers may be completely untrusted, but in this case don't expose weak nncp-exec command to those peers.
for example these is an `exec: /usr/bin/tar` command exposed for Alice, but not for Eve. For Eve there may be an `exec: /usr/local/bin/file-request-handler-for-untrusted-peers.sh` command available which adds the access control layer.
ForceCommand accepts user parameters except via environment variables.