Request for deprecation of KDESu::SshProcess and removal of kdesu_stub/kdessh

Friedrich W. H. Kossebau kossebau at kde.org
Fri Dec 18 21:02:47 CET 2009


Hi,

KDESu::SshProcess (in kdelibs) and the commandline shell for it, kdessh (in 
kdeutils) are horribly broken (as in: do not work and may be insecure) and (at 
least for me) seem not easy to be fixed.

I guess most of you do not even know these things exist, so:
kdessh is a wrapper to ssh and, instead of executing the original remote 
command, first (via KDESu::SshProcess) fires up kdesu_stub on the remote 
computer to setup the environment variables as needed for a better integration 
into the local session, only then executes the original command.
Additionally it also caches the passwords (but does not use KWallet).

It is not working at all currently, as this commit
	"Move kdesu_stub to libexec"
	http://websvn.kde.org/?view=revision&revision=666108
moved kdesu_stub out of the $PATH, so the ssh server will not find it.
Is there a chance somebody remembers why it was moved to ? And not 
perhaps renamed kdesu_stub to kdesu_stub4? Or just have it conflict with the 
KDE 3 version, like e.g. KWrite has a conflict, too.

The class KDESu::SshProcess/StubProcess itself has a wild mixtures of 
undocumented return values, seems to forget about child processes in some 
conditions, has password strings in unsecured memory, does not reuse the 
running ssh connection after testing for password needs, does not do a proper 
check for false passwords and whatelse.

From lxr.kde.org it seems kdessh is the only user of  KDESu::SshProcess, 
besides kvpnc in playground/network (no idea about its state). And with zero 
reports about this problem on b.k.o kdessh also seems without any users.

As noone has ever had a closer look at kdessh until now (starting kdessh did 
nothing, including no obvious harm, so it got ignored), including the kdeutils 
coordinator (who is writing here) it was only now decided to move kdessh from 
kdeutils to tags/unmaintained after the Beta2 release. Sorry for any 
inconvenience.

Additionally the class KDESu::SshProcess in kdelibs should be marked as 
deprecated. Perhaps it could be even removed, as I do not think anyone is 
using this class/these symbols?
Also kdesu_stub does no longer needed to be built and installed, as long as it 
ends in lib/kde4/libexec.

Still I think such a utility for the integrated execution of remote programs 
is nice to have. But with X11-forwarding-enabled ssh client/servers and ssh-
agent/-add it should perhaps have another approach, including integration of 
KWallet. I also wonder how much remote X clients can and should be integrated 
in the local session at all, including the Session D-Bus?

Cheers
Friedrich

PS: In case you are interested find attached two patches which made kdessh at 
least working again, until I found SshProcess too broken to continue to clean 
up for all possible conditions. Patches do s/magic numbers/enums/g, renames 
kdesu_stub to kdesu_stub4 and installes it to bin/ again, code style cleanup, 
more caring for child processes.
-- 
Okteta - KDE Hex Editor - http://utils.kde.org/projects/okteta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: attemptToFixSshProcess.patch
Type: text/x-patch
Size: 14804 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/release-team/attachments/20091218/98077365/attachment-0002.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: adaptKdesshToSshProcessFix.patch
Type: text/x-patch
Size: 1003 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/release-team/attachments/20091218/98077365/attachment-0003.patch 


More information about the release-team mailing list