Request for deprecation of KDESu::SshProcess and removal of kdesu_stub/kdessh
Friedrich W. H. Kossebau
kossebau at kde.org
Fri Dec 18 21:02:47 CET 2009
Hi,
KDESu::SshProcess (in kdelibs) and the commandline shell for it, kdessh (in
kdeutils) are horribly broken (as in: do not work and may be insecure) and (at
least for me) seem not easy to be fixed.
I guess most of you do not even know these things exist, so:
kdessh is a wrapper to ssh and, instead of executing the original remote
command, first (via KDESu::SshProcess) fires up kdesu_stub on the remote
computer to setup the environment variables as needed for a better integration
into the local session, only then executes the original command.
Additionally it also caches the passwords (but does not use KWallet).
It is not working at all currently, as this commit
"Move kdesu_stub to libexec"
http://websvn.kde.org/?view=revision&revision=666108
moved kdesu_stub out of the $PATH, so the ssh server will not find it.
Is there a chance somebody remembers why it was moved to ? And not
perhaps renamed kdesu_stub to kdesu_stub4? Or just have it conflict with the
KDE 3 version, like e.g. KWrite has a conflict, too.
The class KDESu::SshProcess/StubProcess itself has a wild mixtures of
undocumented return values, seems to forget about child processes in some
conditions, has password strings in unsecured memory, does not reuse the
running ssh connection after testing for password needs, does not do a proper
check for false passwords and whatelse.
From lxr.kde.org it seems kdessh is the only user of KDESu::SshProcess,
besides kvpnc in playground/network (no idea about its state). And with zero
reports about this problem on b.k.o kdessh also seems without any users.
As noone has ever had a closer look at kdessh until now (starting kdessh did
nothing, including no obvious harm, so it got ignored), including the kdeutils
coordinator (who is writing here) it was only now decided to move kdessh from
kdeutils to tags/unmaintained after the Beta2 release. Sorry for any
inconvenience.
Additionally the class KDESu::SshProcess in kdelibs should be marked as
deprecated. Perhaps it could be even removed, as I do not think anyone is
using this class/these symbols?
Also kdesu_stub does no longer needed to be built and installed, as long as it
ends in lib/kde4/libexec.
Still I think such a utility for the integrated execution of remote programs
is nice to have. But with X11-forwarding-enabled ssh client/servers and ssh-
agent/-add it should perhaps have another approach, including integration of
KWallet. I also wonder how much remote X clients can and should be integrated
in the local session at all, including the Session D-Bus?
Cheers
Friedrich
PS: In case you are interested find attached two patches which made kdessh at
least working again, until I found SshProcess too broken to continue to clean
up for all possible conditions. Patches do s/magic numbers/enums/g, renames
kdesu_stub to kdesu_stub4 and installes it to bin/ again, code style cleanup,
more caring for child processes.
--
Okteta - KDE Hex Editor - http://utils.kde.org/projects/okteta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: attemptToFixSshProcess.patch
Type: text/x-patch
Size: 14804 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/release-team/attachments/20091218/98077365/attachment-0002.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: adaptKdesshToSshProcessFix.patch
Type: text/x-patch
Size: 1003 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/release-team/attachments/20091218/98077365/attachment-0003.patch
More information about the release-team
mailing list