The number of times I've been stuck wondering if my keystrokes are registering properly for a sudo prompt over a high latency ssh connection.
These servers I had an account setup too were, from what I observed, partially linked with the authentication mechanism used by the VPN and IAM services. Like they'd have this mandatory password reset process and sometimes sudo was set to that new password, other times it was whatever was the old one. Couple that with the high latency connection and password authentication was horrible. You would never know if you mistyped something, or the password itself was incorrect or the password you pasted went through or got double pasted.
I think this is a great addition, but only if it leads to redhat adopting it which is what they were running on their VMs.
Had problems with faulty keyboards in the past too, never to be sure which keys were I pressed I had to type the password in a text file (much more insecure) and then paste it on the prompt. Of course this was never done in front of anyone, shoulder surfing was never an issue to begin with.
But you should not type sudo passwords on remote machine. Instead setup your machinr to have nopassword for special sdmin account and enable pubkey only authentication.
Yeah but am I going to really open another ssh connection just to run an admin specific command. They also didn't provide an admin user, it setup with all of the extra security configurations. You couldn't even `su`
You could have avoided the worry completely. Ssh goes over tcp that does transport control (literally the “tc” in “tcp”) and this includes retransmission in case of packet loss.
If you are on a high latency ssh connection and your password does not register, you most likely mistyped it.
I am aware of that but you forgot the other conditions. Keys sometimes don't register, I'm not sure why but I do experience missing keystrokes.
The passwords get updated irregularly with the org IAM so you aren't sure what the password even is. Pasting doesn't work reliably sometimes, if you're on windows you need to right click to paste in terminals, sometimes a shortcut works. Neither gives me any feedback as to what event was ever registered though.
This is such a good decision. It's one of those things that's incredibly confusing initially, but you get so used to it over the years, I even forgot it was a quirk.
In the modern world there is no plausible scenario where this would compromise a password that wouldn't otherwise also be compromised with equivalent effort.
I also think it is a good decision.
Nevertheless it breaks the workflow of at least one person. My father's Linux password is one character. I didn't knew this when I supported him over screen sharing methods, because I couldn't see it. He told me, so now I know. But the silent prompt protected that fact.
It is still a good decision, an one character password is useless from a security standpoint.
Drats, you're right. I thought it'd be worse, but the ratio seems to only depend on the number of letters in your character set: 1/count(letters in alphabet).
For ascii at 95 printable chars you get 0.9894736842. Makes intuitive sense as the "weight" of each digit increases, taking away a digit matters less to the total combos.
Maybe I'll start using one Japanese Kanji to confuse would be hackers! They could spend hours trying to brute force it while wondering why they can't crack my one letter password they saw in my terminal prompt. ;)
It could also give useful priors for targeted attacks, "Their password is 5 characters, and their daughters name is also 5 characters, let's try variations of that".
I may or may not use a single char password on a certain machine. This char may or may not be a single space. It may or may not be used in FDE. It's surprising what (OS installers) this breaks.
In the early days we all shared computers. People would often stand behind you waiting to use it. It might even not have a screen, just a teletype, so there would be a hard copy of everything you entered. We probably didn't have account lockout controls either. Knowing the length of a password (which did not tend to be long) could be a critical bit of info to reduce a brute force attack.
Nowadays, not so much I think. And if you are paranoid about it, you can still set it back to the silent behaviour.
And just sticking to counting, a not exceptionally well-trained ear could already count how many letters you typed and if you pressed backspace (at least with the double-width backspace, sound is definitely different)
Yeah I recall that there was an attack researchers demonstrated years back of using recordings of typing with an AI model to predict the typed text with some accuracy. Something to do with the timings of letter pairings, among other things.
"Let's look at their screen and see how long their password is." This article is about silent sudo.
Have you ever watched a fast touch typist, someone that does over 100 words per minute? Someone who might be using an keyboard layout that you're not familiar with? When the full password is entered in less than a second it can be very difficult to discern what they typed unless you're actually recording with video.
But sure, if you're watching someone who types with one finger. Yes, I can see that.
Why not just display a single character out of a changing set of characters such as
/ - \ |
(starting with a random one from the set) after every character entered?
That way you can be certain whether or not you entered a character but and observer can‘t tell how many characters your password has.
There was a software package a couple decades ago, I want to say it was Lotus Notes but I'm pretty sure it wasn't actually Lotus Notes but something of that ilk, that would show a small, random number of asterisks corresponding to each character entered. So you'd hit one key and maybe two asterisks would show up on screen. And kept track of them so if you deleted a character, it'd remove two.
I thought that was kinda clever; it gives you feedback when your keystrokes are recognized, but it's just enough confusion to keep a shoulder surfer from easily being able to tell the length of your password unless you're hunt-and-pecking every single letter.
Yeah, I remember Lotus Notes both showing multiple filler characters per keystroke and showing different keychain pictures based on the hash of what you typed. This way you could also tell you've made a typo before submitting it.
Yup, it was Notes, I used it at IBM. It was an unbelievably stupid idea. Every single day people were asking why their password was wrong because they were confused by the line of stars being too long.
Sorta reminds me of the i3lock screen locker. It shows an incredibly confusing circle UI where every keystroke randomizes the position of the sector on a circle, with no explanatory text on the screen (^1). To new users, it's not clear at all that you are entering your user password or even that it's a screen locker at all, because it just looks like a cryptic puzzle.
Of course, once you do understand that it's just a password prompt, it's great. Completely confuses the hell out of any shoulder surfers, who will for sure think it's a confusing puzzle, and eventually they will get rate limited.
Now that you mention i3lock, if sudo showed a symbol changing with each keystroke, it could show it's working (not frozen, accepting input) without revealing the length, similarly to i3lock. I've seen ascii loading spinners from package managers by changing between slashes and hypens and such. Something of that sort would probably do the trick.
ATM keypads are very carefully designed so that all the buttons sound exactly the same, so you can't lift a PIN by recording the sound.
I've seen this demonstrated, using "Cherry" type keyswitches, with about a 75% success rate.
I also knew an old guy who could tell what an ASR33 or Creed teleprinter was printing just by the sound, with "good enough" accuracy, and copy RTTY by ear with "good enough" accuracy.
He didn't really talk about his time in the Royal Signals in the 50s and 60s very much.
It's surprising to see an OS, dominant as a sever platform, now optimizing catering to people who are unsure whether they've pressed a button on their keyboard. What's next, replacing asterisks with a progress bar?
There's no persistent reveal of password length after you're finished typing. It reduces the length-reveal leak from anyone who eventually sees the terminal log to people who are actively over-the-shoulder as you type it.
If you can see 1 char from set of 4 you know the number of characters modulo 4. If the minimum length of a password is 6, and probably it is no longer than 12 characters, then you can narrow the length to 1 or 2 numbers. It is marginally better than asterisks of course, of course, but it is still confusing.
They mean to have a static single character on the screen and have it change with every keypress. For example, you type "a" and it shows /. You type "b" and it shows "|", etc.
Oh you mean like every time you type a password, it steps a spinner round? That solves the problem that IBM used to use for Notes where it showed "the wrong number of stars" which confused the hell out of users.
Someone should make a joke version that replaces the ***s with comedic passwords or ridiculously bad ones: When you're typing your real password, "iloveyouiloveyou", "12345612345", or "hunter42hunter.." gets printed to the screen.
Fascinating . . . reading the comments, it seems like the vast majority think this is a long overdue change. For myself, it never occurred to me that there was any issue and I'm slightly unsettled by the change (i.e. it is far from obvious to me that it's a good thing). It is not something I've thought deeply about, of course.
Because you long forgot how confusing it was, that you can't see if your keystrokes are accepted by the machine. This is a change for people, that are new to Linux/Unix
Worse than this issue, but kind of related, sometimes TTY1 (and maybe also the other TTYs) is being spammed by log info on boot, and if you have a TTY login it isn't obvious you can just log in anyway. Had a friend using Arch+i3 with TTY login, pretty new to GNU/Linux in general, so he kinda threw up his hands like "ah dang, can't log in, it's broken". I tried to tell him to just type his credentials anyway, but he didn't get what I was saying at first. Took a bit before we got him logged in and could address the other issues. I've had similar issues on my machines. I once had kernel log verbosity cranked up by accident, copied my config from another machine where I was chasing a GPU bug. Well, the same settings on the other machine were presenting way worse, constant never-ending line-spam, before and after login. Had to get into a graphical environment half-blind to see what I was doing and then turn down the verbosity. IMO there should be an easier way around that.
I expect there's an audience selection bias at work: Fewer greybeards and more spiky haired teens reading HN.
I think it's an awful idea. Apart from making things less secure it also makes sudo's UX inconsistent with most of the other coreutils. Luckily, I don't plan on doing any more ubuntu installs.
I didn't actually know that Mint had enabled this by default. That would have been a useful counterpoint to the naysayers.
If you want the original behaviour you don't actually need to change the configuration - they added a patch afterwards so you can press tab and it will hide the password just for that time.
> The catalyst for Ubuntu’s change is sudo-rs
Actually it was me getting sufficiently pissed off at the 2 second delay for invalid passwords in sudo (actually PAM's fault). There's no reason for it (if you think there is look up unix_chkpwd). I tried to fix it but the PAM people have this strange idea that people like the delay. So I gave up on that and thought I may as well try fixing this other UX facepalm too. I doubt it would have happened with the original sudo (and they said as much) so it did require sudo-rs to exist.
I think this is one of the benefits of rewriting coreutils and so on in Rust - people are way more open to fixing long-standing issues. You don't get the whole "why are you overturning 46 years of tradition??" nonsense.
If you do, offer support for writing modules in a scripting language like Lua or Python. PAM could make it a lot easier to just add OAuth with your company IdP, for example…
The code you linked to isn't the code for a wrong password. It's a check to make sure you're using a TTY. That code isn't to prevent brute force. The delay there is 10 seconds.
It's really really not. By default PAM has a difficult-to-disable 2ish second minimum delay for all authentication methods. However this is completely pointless for local password authentication because PAM checks password using unix_chkpwd, which has no delay. The comment I linked to is explaining that unix_chkpwd has a silly security theatre delay if you try to run it in a tty, but that's trivial to avoid.
If you want to brute force local password authentication you can just run unix_chkpwd as fast as you like. You don't need to involve PAM at all, so its 2 seconds delay achieves nothing.
It maybe does more for remote connections but I'm not sure about that either - if you want to check 10k ssh passwords per second what stops you making 10k separate connections every second? I don't think the 2 second delay helps there at all.
> Change both the config files and you can remove the delay if you want.
This is extremely complicated. See the comments in the issue for details.
> You don't get the whole "why are you overturning 46 years of tradition??" nonsense
Respectfully, we are the opposing sides of the barricades here. I was removing sudo-rs, uutils and some of the systemd-* packages from fresh Ubuntu installations until the amount of virtue signaling got really tiresome.
Currently almost no Ubuntu left in my production. Hopefully Debian will not package those.
If you start by hitting backspace a few times and/or typing random characters and deleting them (to make sure the keyboard's working and sending your inputs where you think) it should obscure the length somewhat.
Yeah I would like to fix those too but sudo is the one I encounter most. Also the existence of sudo-rs meant there was less push-back. I seriously doubt the maintainers of openssh or passwd would accept this change.
When I wrote the login program for my VSTa microkernel, I took a page from the CDC side of the world--it echoes a _random_ (but small, non-zero) number of *'s. So you get feedback, but indeed peering over your shoulder will not disclose password length.
And yes, it remember how many it echoes so backspace works correctly.
Most of those suggestions would be incredible confusing for anyone not familiar with the concept.
Users expect to see exactly 1 new char (either the key pressed or an asterix) when they type something. Seeing up to three chars appearing or disappearing after some time imho is worse than what we have today.
It is. Only the default changed. Also you can press tab if someone happens to be looking over your shoulder (and your password is so obvious they can guess it from the length).
However it is pretty obvious at this point that Ubuntu will absolutely remove those from one of the future releases because availability of real sudo and coreutils is detrimental to the virtue signaling they are engaging in.
After being a lifetime Ubuntu user I have moved to Debian across almost all of my production.
So now there's a few additional steps when I install a new distribution to make certain that classic sudo is the one installed, rather than sudo-rs
I'm sure someone things this is a good idea, but I do not, and nobody cares what I think. But I come from being a long-time coder who's always been a terrible typist and can't depend on "touch typing" and have to actually look at things, like the keys, and the screen. And handicapped by going blind in one eye, and having arguments with eye doctors who say "get used to it and switch to audio books" and needing 14-point boldface fonts for everything.
Weird argument about the logging password forging the same in a gui. Because it certainly it not when logging in using a terminal locale or ssh for that matter
Either way, password lengths are exposed in virtually all scenarios except the Unix Terminal - and have caused 0 issues in practice. The default of hiding password inputs really is useless security theater, and always has been.
The crazier part is Ubuntu using a pre-1.0 software suite instead of software that has been around for decades. The switch to Rust coreutils is far too early.
Do you have some data to back that up? Because I doubt it’s literally 0. I make this point because we shouldn’t talk about absolutes when discussing security.
Fo example, Knowing a password length does make it easier to crack a password. So it’s not strictly “security theatre”.
So the real question isn’t whether it has any security benefit; it’s more is the convenience greater than the risk it introduces.
Framing it like this is important because for technical users like us on HN, we’d obviously mostly say the convenience is negligible and thus are more focused on the security aspect of the change.
But for the average Desktop Ubuntu user, that convenience aspect is more pronounced.
This is why you’re going to see people argue against this change on HN. Simply put, different people have different risk appetites.
Knowing password length makes it easier to crack an insecure password.
The SHA256 hash of a 6-symbol diceware password, where each symbol has its first letter capitalized and the rest lowercase, with 1! appended for compliance with misguided composition rules is 540b5417b5ecb522715fd4bb30f412912038900bd4ba949ea6130c8cb3c16012. There are 37 octets in the password. You know the length. You know the composition rules. You have an unsalted hash. It's only 77 or so bits of entropy. Get cracking, I'll wait.
Secure keyboard tty entry interaction by the terminal should manage this rather than implement it in one app. Another advantage of this method is that such affordances can be generated or silenced locally, and it's code that can be shared when used with passwd, pinentry, etc. and sudo rather than implemented N times.
> sudo password is the same as their login password — one that already appears as visible placeholder dots on the graphical login screen. Hiding asterisks in the terminal while showing them at login is, in the developers’ estimation, security theatre.
So hide the first one as well? But also, that's not true, not all terminal passwords are for local machine
> Confusing — appears frozen
So make it appear flashing? Still doesn't need to reveal length
This is literally never identified as an issue in any other system processing passwords. This feels like a debate by someone who once thought they had a clever idea and can’t let go despite everyone telling them it’s awful.
Feels like you're talking to your own strawman re. whether hiding password length makes sense, which I specifically didn't address, only pointed out that the arguments I've quoted do not support the change.
The reason is to protect the innocent, of course, they're mostly clueless about security! But I don't know the level of practical benefits for this measure, superficially seems to be rather low, but then (assuming silly usability issues like "appears frozen" are fixed) what's the downside?
Modern password ui also gives the option to toggle the actual letters on so you can verify that you are actually typing the right thing. Hopefully that doesn't take another 46 years.
Just as you get used to something crazy after two decades, have kids, and are about to unleash it on them, it gets fixed. Will there be no boomer pleasures left for us millennials?
Is this really the thing we're complaining about though? There's a lot more annoying things in Linux, rather than whether or not I see dots when I login...
How about all the daemons that double log or double timestamp on systemd machines?
I've been using a two character password since the last 10 years of my 23 year linux usage; I log in to console and manually start X. Guess the shame will catch up now.
You can choose the middle ground and start X in whatever file is executed by your shell at login, after checking that X is not already running and that the login has not been done remotely through SSH. Instead of using "startx" (which on a properly configured system would also start whatever desktop environment you use), you can use the start program of your desktop environment, for instance I use XFCE, whose starting program is "startxfce4".
This eliminates the need to do the start manually when you login, but like after a manual start you can stop the GUI session, falling back into a console window, and then you can restart the GUI if needed.
I prefer this variant and I find it simpler than having any of the programs used for a GUI login, which have no advantage over the traditional login.
Funny. But I have to say the shaming of users who have different opinions or want to make different choices (the whole point of free software) is one of the saddest development in the free software world, such as the push for BSD replacements for GPL components, the entanglement of software components in general, or breaking of compatibility, etc. No matter whether you stand, that it is becoming harder to choose components in your system to your liking should give everybody pause. And if your argument involves the term "Boomer" because you prefer the new choice, you miss the point. Android should be a clear warning that we can loose freedoms again very quickly (if recent US politics is not already a warning enough).
Sadly everyone wants convenience. Nobody hates MS because they are bad, they hate them because they are inconvenient. People are missing the fact that Google is exactly where MS was in the 90s and is most definitely as bad if not worse. I hate android sadly linux isn't looking too good rigt now on mobile.
Devs are are missing the point with linux on phone. Get the point part working first lol so that people have some incentive to carry the damned thing. Apps come later
I don’t know why this keeps coming up. Has this been a big deal for everyone else? Like ok usability improvement, but the number of times I have read an article about this is silly.
The security argument is a red herring. It was originally built with no echo because it was easier to turn echo on and off than to echo asterisks. Not for security.
You got some sources or did you just make that up?
Because to hell with UX when it comes to security. Knowing the exact length of a password absolutely makes it significantly less secure, and knowing the timing of the keystrokes doubly so.
Yet somehow, none of the other high security tools I have ever interacted with seem to do this for some reason. No auditor flags it. No security standard recommends hiding it.
But SUDO is the one bastion where it is absolutely essential to not offer hiding keystrokes as an obscure config option, but enable for everyone and their mother?
> easier to turn echo on and off than to echo asterisks.
One implies the other. You turn echo off. Then you write asterisks.
> Not for security.
Consider the case of copy and pasting parts of your terminal to build instructions or to share something like a bug report. Or screen sharing in general. You are then leaking the length of your password. This isn't necessarily disastrous for most use cases but it is a negative security attribute.
> One implies the other. You turn echo off. Then you write asterisks.
That's not how it works. Sudo turns off echo but otherwise keeps the terminal in it's normal cooked canonocal mode, meaning sudo only sees what you've entered after you hit enter. To print asteriks as you type requires putting the terminal in raw mode, which has the addition consequence of needing to implement shit like backspace yourself. Still a UX win worth doing, but it's pretty clear that skipping that and just disabling echo is an easier lazier implementation.
You're correct, but, the echo and canonical mode flags are literally in the same termios structure member. One is no more complicated to change than the other. You can also easily switch to character at a time read() which makes handling backspace, erase or kill exceedingly simple.
I still doubt the claim the scheme employed by sudo was done because it "was easier."
The first is like 3 lines of code, to get the attrs, disable the echo flag then set the attrs again. The second is.. I don't know probably about twenty lines of code to handle the primitive line editing yourself and also asterisk printing. In my view, this is enough of a difference to motivate a conclusion that the first is good enough. Also note that this decision was made back in the early 70s when login was first implemented, and it established a convention which was very easy and convienent to carry forward to su and later sudo.
The point is that you know that the password is not longer than N.
This indeed reduces the search domain by many orders of magnitude, i.e. by more than an order of magnitude for each character that you now know that it is not used by the password.
Knowing the length of the password does not matter only in antediluvian systems, which had severe restrictions on the length of a password, so you already knew that the password is no longer than, e.g., 8 characters.
That's obviously false. It narrows it down less than a factor the length of the password, so unless your password is several orders of magnitude, it lowers narrows by a factor of ~8.
If you know that a password is no longer than, e.g., 10 characters, that narrows down the search domain by many, many orders of magnitude, in comparison with the case when you did not know this and you had to assume that the password could have been, e.g. 18 characters long.
If you test the possible passwords in increasing length, then knowing the length would not shorten much the search, but not knowing the length may prevent an attempt to search the password by brute force, as such an attempt would fail for longer passwords, so it is not worthwhile to do unless success is expected.
With modern hashing schemes, which require both a lot of time and a lot of memory for each tested password, even one extra character in the password can make the difference between a password that can be cracked in a useful time and one that would take too much time to crack, so knowing the length can be very important for the decision of an attacker of trying the exhaustive search approach.
Knowing the length is less important only for the users who are expected to choose easy to guess passwords, as there are much less of those than the possible random passwords.
It's fun, leading edge Linux distros (e.g. GNOME OS) are actually currently removing `sudo` completely in favour of `run0` from systemd, which fixes this "properly" by using Polkit & transient systemd units instead of setuid binaries like sudo. You get a UAC-style prompt, can even auth with your fingerprint just like on other modern OSes.
Instead of doing this, Ubuntu is just using a Rust rewrite of sudo. Some things really never change.
You make it sound like there was a discussion where they looked at these two alternatives and chose improving sudo over using run0. Actually I just submitted a patch for this and they accepted it. I don't work for Ubuntu and I didn't even know run0 existed until now (it does sound good though; I hope they switch to that).
Courage to be different is an open door to creativity.
Yes, it means going in a wrong direction sometimes as well: that's why it takes courage — success ain't guaranteed and you might be mocked or ridiculed when you fail.
Still, Ubuntu got from zero to most-used Linux distribution on desktops and servers with much smaller investment than the incumbents who are sometimes only following (like Red Hat).
So perhaps they also did a few things right?
(This discussion is rooted in one of those decisions too: Ubuntu was the first to standardize on sudo and no root account on the desktop, at least of mainstream distributions)
Ubuntu became the most used because they were the first to really dumb down the install process. No insult intended, it was my first distro as well. If you weren't around, it was rather stark. Most others had install media that just loaded a curses based install menu, asking you about partioning. Ubuntu gave you a live environment and graphical installer, which didn't ask any hard questions... way ahead of their time.
Nobody picked Ubuntu because of Mir, or Compiz, or Upstart(or snaps, while we're on the topic). They were obvious errors. That it's popular doesn't negate that fact.
I'd say good hw support, no nonsense live installer, and free CDs worldwide got their foot in the door. And 6 months release cycle matching GNOME + 2 months.
Mir/Compiz/Snaps came much-much later (snaps are as much a mistake as flatpak is: they make sense, but are notoriously expensive to make; Unity was a better UX than Gnome Shell 3, but it did not pay...).
However, none of this explains Ubuntu's penetration on cloud servers.
Canonical was actually solving exactly the same problems Red Hat was, just with much lower investment. Their wins made them dominant, their losses still allowed them to pivot to new de facto standards (like systemd too).
> Ubuntu became the most used because they were the first to really dumb down the install process.
That is an urban myth relayed by people who weren't even using Ubuntu in its early days.
Other distros were as easy to install as Ubuntu even before Ubuntu was founded. Besides Ubuntu was using the then experimental debian installer you could already use with a regular debian. They just shipped it on the default CD image earlier than debian did.
What they did to be on top was using Mark shuttleworth's money to ship an insane amount of free install CDs to anyone asking for them which meant that for a small period of time, when most people were on dial up internet ISDN and shitty ADSL, Ubuntu went suddently to be the number one distro installed. A friend, family member or coworker was curious about Linux? You'd hand him one of the fifty Ubuntu CDs you had lying around. I know I was one of those handing out CDs left and right. It was a time when to get an install CD without broadband you'd have to buy a magazine, and you didn't get to choose which distro was featured each month, a book or a boxset (not available everywhere). Later all those many early ubuntu adopters became ubuntu evangelists.
But bar a few exceptions like slackware, debian with the default vanilla installer or gentoo, there was nothing particular about the ubuntu install experience compared to other distros. Mandrake, Corel Linux ans Xandrows for example provided super easy install experience even before Ubuntu became a thing.
While Ubuntu did build on Debian testing/unstable, they did invest in building the GUI on top of everything, paying salaries for a few Debian developers.
With a very slim team (I am guessing 15-30 in the first couple of years), they picked Python as the go to language and invested heavily in development tooling making it possible for them to innovate and pivot quickly. Yes, they grew to a mid size company of 500-1000 over time, but also expanded into many different areas.
Perhaps one can also make a case for them effectively starting and killing a number of projects akin to Google, except they usually made them open source, and some live on as volunteer efforts (eg. ubuntu touch).
Could we not have used braille patterns? Start on a random one and you can just replace the character with the next one so it is possible for the user to see something was entered, but password length isn't given to someone looking over the user's shoulder?
46 years of silent sudo passwords.. it just demonstrates how crazy this world is, if this is considered news. It means the code is a living fossil and people live with that fact, instead of demanding (infinite and instant) control over their systems.
This reminds me. Linux was already a fossil, except for some niches, but now in the age of AI, the fact that code can't be updated at will (and instead has to go through some medieval social process) is fatal. Soon the age will be here where we generate the necessary OS features on the fly. No more compatibility layers, no more endless abstractions, no more binaries to distribute, no more copyright, no need to worry about how "the others" use their systems, no more bike shedding. Instead, let the system manage itself, it knows best. We'll get endless customization without the ballast.
It's time to set software free from the social enclosures we built around it.
The number of times I've been stuck wondering if my keystrokes are registering properly for a sudo prompt over a high latency ssh connection.
These servers I had an account setup too were, from what I observed, partially linked with the authentication mechanism used by the VPN and IAM services. Like they'd have this mandatory password reset process and sometimes sudo was set to that new password, other times it was whatever was the old one. Couple that with the high latency connection and password authentication was horrible. You would never know if you mistyped something, or the password itself was incorrect or the password you pasted went through or got double pasted.
I think this is a great addition, but only if it leads to redhat adopting it which is what they were running on their VMs.
Had problems with faulty keyboards in the past too, never to be sure which keys were I pressed I had to type the password in a text file (much more insecure) and then paste it on the prompt. Of course this was never done in front of anyone, shoulder surfing was never an issue to begin with.
I agree that this move is good.
But you should not type sudo passwords on remote machine. Instead setup your machinr to have nopassword for special sdmin account and enable pubkey only authentication.
Yeah but am I going to really open another ssh connection just to run an admin specific command. They also didn't provide an admin user, it setup with all of the extra security configurations. You couldn't even `su`
You could have avoided the worry completely. Ssh goes over tcp that does transport control (literally the “tc” in “tcp”) and this includes retransmission in case of packet loss.
If you are on a high latency ssh connection and your password does not register, you most likely mistyped it.
I am aware of that but you forgot the other conditions. Keys sometimes don't register, I'm not sure why but I do experience missing keystrokes.
The passwords get updated irregularly with the org IAM so you aren't sure what the password even is. Pasting doesn't work reliably sometimes, if you're on windows you need to right click to paste in terminals, sometimes a shortcut works. Neither gives me any feedback as to what event was ever registered though.
Yea, add a VNC jump host and a flaky spice based terminal and there are a bunch of things that can make your input not register properly.
This is such a good decision. It's one of those things that's incredibly confusing initially, but you get so used to it over the years, I even forgot it was a quirk.
In the modern world there is no plausible scenario where this would compromise a password that wouldn't otherwise also be compromised with equivalent effort.
I also think it is a good decision. Nevertheless it breaks the workflow of at least one person. My father's Linux password is one character. I didn't knew this when I supported him over screen sharing methods, because I couldn't see it. He told me, so now I know. But the silent prompt protected that fact. It is still a good decision, an one character password is useless from a security standpoint.
> It is still a good decision, an one character password is useless from a security standpoint.
Only if length is known. Which is true now. So it opens the gates to try passwords of specific known length.
If you are brute forcing passwords, knowing the length only reduces the number of passwords to try by like 1 hundredth.
Drats, you're right. I thought it'd be worse, but the ratio seems to only depend on the number of letters in your character set: 1/count(letters in alphabet).
For ascii at 95 printable chars you get 0.9894736842. Makes intuitive sense as the "weight" of each digit increases, taking away a digit matters less to the total combos.
Maybe I'll start using one Japanese Kanji to confuse would be hackers! They could spend hours trying to brute force it while wondering why they can't crack my one letter password they saw in my terminal prompt. ;)
Its funny how a single japanese symbol would be harder to crack than the anglicized name for it
It also give you the possibility of filtering out which ones are worth cracking and which ones not
It could also give useful priors for targeted attacks, "Their password is 5 characters, and their daughters name is also 5 characters, let's try variations of that".
I may or may not use a single char password on a certain machine. This char may or may not be a single space. It may or may not be used in FDE. It's surprising what (OS installers) this breaks.
I tend to agree, and I work in security.
In the early days we all shared computers. People would often stand behind you waiting to use it. It might even not have a screen, just a teletype, so there would be a hard copy of everything you entered. We probably didn't have account lockout controls either. Knowing the length of a password (which did not tend to be long) could be a critical bit of info to reduce a brute force attack.
Nowadays, not so much I think. And if you are paranoid about it, you can still set it back to the silent behaviour.
On the other hand streaming is way, way more common nowadays.
Yes… We're in the same room as the target… Let's look at their screen and see how long their password is.
Or, we could just look at the keyboard as they type and gain a lot more information.
In an absolute sense not showing anything is safer. But it never really matters and just acts as a paper cut for all.
And just sticking to counting, a not exceptionally well-trained ear could already count how many letters you typed and if you pressed backspace (at least with the double-width backspace, sound is definitely different)
Yeah I recall that there was an attack researchers demonstrated years back of using recordings of typing with an AI model to predict the typed text with some accuracy. Something to do with the timings of letter pairings, among other things.
"Let's look at their screen and see how long their password is." This article is about silent sudo.
Have you ever watched a fast touch typist, someone that does over 100 words per minute? Someone who might be using an keyboard layout that you're not familiar with? When the full password is entered in less than a second it can be very difficult to discern what they typed unless you're actually recording with video.
But sure, if you're watching someone who types with one finger. Yes, I can see that.
How is learning only the length of the password better than watching someone type it?
Besides, observe that several times and you might get close. Look at the stars several times and learn nothing beyond what you learned the first time.
This whole type of attack hinges on the user using weak passwords with predictable elements in any case.
Why not just display a single character out of a changing set of characters such as / - \ | (starting with a random one from the set) after every character entered? That way you can be certain whether or not you entered a character but and observer can‘t tell how many characters your password has.
There was a software package a couple decades ago, I want to say it was Lotus Notes but I'm pretty sure it wasn't actually Lotus Notes but something of that ilk, that would show a small, random number of asterisks corresponding to each character entered. So you'd hit one key and maybe two asterisks would show up on screen. And kept track of them so if you deleted a character, it'd remove two.
I thought that was kinda clever; it gives you feedback when your keystrokes are recognized, but it's just enough confusion to keep a shoulder surfer from easily being able to tell the length of your password unless you're hunt-and-pecking every single letter.
Yeah, I remember Lotus Notes both showing multiple filler characters per keystroke and showing different keychain pictures based on the hash of what you typed. This way you could also tell you've made a typo before submitting it.
Back around 1996, Notes would show hieroglyphics that changed with each new password character.
Notes did indeed do that, and I as I recall it was three astrix characters per password character.
Yup, it was Notes, I used it at IBM. It was an unbelievably stupid idea. Every single day people were asking why their password was wrong because they were confused by the line of stars being too long.
Because that's still weird and confusing to people and still serves no purpose.
Sorta reminds me of the i3lock screen locker. It shows an incredibly confusing circle UI where every keystroke randomizes the position of the sector on a circle, with no explanatory text on the screen (^1). To new users, it's not clear at all that you are entering your user password or even that it's a screen locker at all, because it just looks like a cryptic puzzle.
Of course, once you do understand that it's just a password prompt, it's great. Completely confuses the hell out of any shoulder surfers, who will for sure think it's a confusing puzzle, and eventually they will get rate limited.
^1: Example of it in use: https://www.youtube.com/watch?v=FvT44BSp3Uc
Now that you mention i3lock, if sudo showed a symbol changing with each keystroke, it could show it's working (not frozen, accepting input) without revealing the length, similarly to i3lock. I've seen ascii loading spinners from package managers by changing between slashes and hypens and such. Something of that sort would probably do the trick.
Purpose:
> That way you can be certain whether or not you entered a character
And the shoulder surger can still count the number of times it changes so you might as well just be normal.
They can also count the number of keystrokes they heard.
The echoed stars should disappear when you press enter, that way you are not revealing this information when you share a screen capture.
Surely looking at your screen seconds/minutes/hours later is the greater risk vector?
ATM keypads are very carefully designed so that all the buttons sound exactly the same, so you can't lift a PIN by recording the sound.
I've seen this demonstrated, using "Cherry" type keyswitches, with about a 75% success rate.
I also knew an old guy who could tell what an ASR33 or Creed teleprinter was printing just by the sound, with "good enough" accuracy, and copy RTTY by ear with "good enough" accuracy.
He didn't really talk about his time in the Royal Signals in the 50s and 60s very much.
It's surprising to see an OS, dominant as a sever platform, now optimizing catering to people who are unsure whether they've pressed a button on their keyboard. What's next, replacing asterisks with a progress bar?
Password recovery where you enter your mothers maiden name and favourite food.
For a new Ubuntu user, that is probably more confusing than not echoing at all.
"That way you can be certain..." absolutely not.
I don't understand your suggestion. If you're still showing one character after each character entered, what's changed?
What's the benefit of having a random character from a random set, instead of just a random character?
I think the idea is that each character overwrites the previous, so you're never showing the total length (apart from 0/1!)
Ah, and the characters are supposed to be an ASCII spinner.
I think if I was new to Linux that would confuse the life out of me :)
There's no persistent reveal of password length after you're finished typing. It reduces the length-reveal leak from anyone who eventually sees the terminal log to people who are actively over-the-shoulder as you type it.
If you can see 1 char from set of 4 you know the number of characters modulo 4. If the minimum length of a password is 6, and probably it is no longer than 12 characters, then you can narrow the length to 1 or 2 numbers. It is marginally better than asterisks of course, of course, but it is still confusing.
The original suggestion included randomizing the first character of the set, which removes this attack.
They mean to have a static single character on the screen and have it change with every keypress. For example, you type "a" and it shows /. You type "b" and it shows "|", etc.
Oh you mean like every time you type a password, it steps a spinner round? That solves the problem that IBM used to use for Notes where it showed "the wrong number of stars" which confused the hell out of users.
Someone should make a joke version that replaces the ***s with comedic passwords or ridiculously bad ones: When you're typing your real password, "iloveyouiloveyou", "12345612345", or "hunter42hunter.." gets printed to the screen.
I would absolutely install this.
Fascinating . . . reading the comments, it seems like the vast majority think this is a long overdue change. For myself, it never occurred to me that there was any issue and I'm slightly unsettled by the change (i.e. it is far from obvious to me that it's a good thing). It is not something I've thought deeply about, of course.
Because you long forgot how confusing it was, that you can't see if your keystrokes are accepted by the machine. This is a change for people, that are new to Linux/Unix
Worse than this issue, but kind of related, sometimes TTY1 (and maybe also the other TTYs) is being spammed by log info on boot, and if you have a TTY login it isn't obvious you can just log in anyway. Had a friend using Arch+i3 with TTY login, pretty new to GNU/Linux in general, so he kinda threw up his hands like "ah dang, can't log in, it's broken". I tried to tell him to just type his credentials anyway, but he didn't get what I was saying at first. Took a bit before we got him logged in and could address the other issues. I've had similar issues on my machines. I once had kernel log verbosity cranked up by accident, copied my config from another machine where I was chasing a GPU bug. Well, the same settings on the other machine were presenting way worse, constant never-ending line-spam, before and after login. Had to get into a graphical environment half-blind to see what I was doing and then turn down the verbosity. IMO there should be an easier way around that.
kernel cmdline arguments set in the bootloader? though I'm not sure which has precedence
Good things always happen when you cater to the lowest common denominator.
Just so you know. I feel the same way!
I expect there's an audience selection bias at work: Fewer greybeards and more spiky haired teens reading HN.
I think it's an awful idea. Apart from making things less secure it also makes sudo's UX inconsistent with most of the other coreutils. Luckily, I don't plan on doing any more ubuntu installs.
I did this!
I didn't actually know that Mint had enabled this by default. That would have been a useful counterpoint to the naysayers.
If you want the original behaviour you don't actually need to change the configuration - they added a patch afterwards so you can press tab and it will hide the password just for that time.
> The catalyst for Ubuntu’s change is sudo-rs
Actually it was me getting sufficiently pissed off at the 2 second delay for invalid passwords in sudo (actually PAM's fault). There's no reason for it (if you think there is look up unix_chkpwd). I tried to fix it but the PAM people have this strange idea that people like the delay. So I gave up on that and thought I may as well try fixing this other UX facepalm too. I doubt it would have happened with the original sudo (and they said as much) so it did require sudo-rs to exist.
I think this is one of the benefits of rewriting coreutils and so on in Rust - people are way more open to fixing long-standing issues. You don't get the whole "why are you overturning 46 years of tradition??" nonsense.
If anyone wants to rewrite PAM in Rust... :-D
https://github.com/linux-pam/linux-pam/issues/778
> If anyone wants to rewrite PAM in Rust... :-D
If you do, offer support for writing modules in a scripting language like Lua or Python. PAM could make it a lot easier to just add OAuth with your company IdP, for example…
Ah, but then you choose the wrong language or language runtime and distros ship old versions for 10+ years :)
(compare: polkit. Both sides have their point, but I've been annoyed by this standoff a few times).
Pretty sure the 2s delay is designed to slow down brute-forcing it.
Not for local password authentication.
https://github.com/pibara/pam_unix/blob/master/unix_chkpwd.c...
Yes, for local password authentication.
The code you linked to isn't the code for a wrong password. It's a check to make sure you're using a TTY. That code isn't to prevent brute force. The delay there is 10 seconds.
The 2 second delay is in support.c at https://github.com/pibara/pam_unix/blob/5727103caa9404f03ef0...
It only runs if "nodelay" is not set. But you might have another pam module setting its own delay. I have pam_faildelay.so set in /etc/pam.d/login
Change both the config files and you can remove the delay if you want.
> Yes, for local password authentication.
It's really really not. By default PAM has a difficult-to-disable 2ish second minimum delay for all authentication methods. However this is completely pointless for local password authentication because PAM checks password using unix_chkpwd, which has no delay. The comment I linked to is explaining that unix_chkpwd has a silly security theatre delay if you try to run it in a tty, but that's trivial to avoid.
If you want to brute force local password authentication you can just run unix_chkpwd as fast as you like. You don't need to involve PAM at all, so its 2 seconds delay achieves nothing.
It maybe does more for remote connections but I'm not sure about that either - if you want to check 10k ssh passwords per second what stops you making 10k separate connections every second? I don't think the 2 second delay helps there at all.
> Change both the config files and you can remove the delay if you want.
This is extremely complicated. See the comments in the issue for details.
> You don't get the whole "why are you overturning 46 years of tradition??" nonsense
Respectfully, we are the opposing sides of the barricades here. I was removing sudo-rs, uutils and some of the systemd-* packages from fresh Ubuntu installations until the amount of virtue signaling got really tiresome.
Currently almost no Ubuntu left in my production. Hopefully Debian will not package those.
PS: Rust is awesome!
How many people with a loud mechanical keyboard shut their microphone to type a password whem sharing their screen in an audio/video call?
If you start by hitting backspace a few times and/or typing random characters and deleting them (to make sure the keyboard's working and sending your inputs where you think) it should obscure the length somewhat.
sudo is not the only thing that prompts for password in the terminal. There is at least passwd and ssh.
I value ctrl+U a lot more for password prompts than the visual feedback, it's even used by GUI on Linux.
Yeah I would like to fix those too but sudo is the one I encounter most. Also the existence of sudo-rs meant there was less push-back. I seriously doubt the maintainers of openssh or passwd would accept this change.
This fixes another issue with that if you make a typo in your password, you don't know how many characters you need to delete, but now you would.
I find it's usually faster to hit ctrl-u and start over anyway.
That's been my solution too and it's never been an issue for me tbh.
When I wrote the login program for my VSTa microkernel, I took a page from the CDC side of the world--it echoes a _random_ (but small, non-zero) number of *'s. So you get feedback, but indeed peering over your shoulder will not disclose password length.
And yes, it remember how many it echoes so backspace works correctly.
The paranoids have had a say in way to many things, way to loud, way to long.
I'd think this is OK but I'm not sure if another Option to just give feedback of keyboard activity would combine the best of both worlds.
A space with a cursor instead of an asterisk would make it harder to count the Chars
Adding a random 1 to 3 output chars instead of one would obfuscate this even more.
A delayed output could make you submit the password prompt before showing anything.
A single asterisk that switches back to space after 250ms inactivity may even be better.
I don't know, but somehow this feels underthought even if it probably is not. Simple is probably the best approach
Most of those suggestions would be incredible confusing for anyone not familiar with the concept.
Users expect to see exactly 1 new char (either the key pressed or an asterix) when they type something. Seeing up to three chars appearing or disappearing after some time imho is worse than what we have today.
Deoxodizing is rather easy for now:
apt install sudo-ws
apt remove coreutils-from-uutils --allow-remove-essential
The setting to echo isn’t configurable?
It is. Only the default changed. Also you can press tab if someone happens to be looking over your shoulder (and your password is so obvious they can guess it from the length).
Yes, thankfully.
However it is pretty obvious at this point that Ubuntu will absolutely remove those from one of the future releases because availability of real sudo and coreutils is detrimental to the virtue signaling they are engaging in.
After being a lifetime Ubuntu user I have moved to Debian across almost all of my production.
This was actually the thing that derailed my first attempt at Linux. I was like 14 or 15 and didn’t understand that concept so couldn’t log in lol
So now there's a few additional steps when I install a new distribution to make certain that classic sudo is the one installed, rather than sudo-rs
I'm sure someone things this is a good idea, but I do not, and nobody cares what I think. But I come from being a long-time coder who's always been a terrible typist and can't depend on "touch typing" and have to actually look at things, like the keys, and the screen. And handicapped by going blind in one eye, and having arguments with eye doctors who say "get used to it and switch to audio books" and needing 14-point boldface fonts for everything.
Weird argument about the logging password forging the same in a gui. Because it certainly it not when logging in using a terminal locale or ssh for that matter
Either way, password lengths are exposed in virtually all scenarios except the Unix Terminal - and have caused 0 issues in practice. The default of hiding password inputs really is useless security theater, and always has been.
The crazier part is Ubuntu using a pre-1.0 software suite instead of software that has been around for decades. The switch to Rust coreutils is far too early.
> and have caused 0 issues in practice
Do you have some data to back that up? Because I doubt it’s literally 0. I make this point because we shouldn’t talk about absolutes when discussing security.
Fo example, Knowing a password length does make it easier to crack a password. So it’s not strictly “security theatre”.
So the real question isn’t whether it has any security benefit; it’s more is the convenience greater than the risk it introduces.
Framing it like this is important because for technical users like us on HN, we’d obviously mostly say the convenience is negligible and thus are more focused on the security aspect of the change.
But for the average Desktop Ubuntu user, that convenience aspect is more pronounced.
This is why you’re going to see people argue against this change on HN. Simply put, different people have different risk appetites.
Knowing password length makes it easier to crack an insecure password.
The SHA256 hash of a 6-symbol diceware password, where each symbol has its first letter capitalized and the rest lowercase, with 1! appended for compliance with misguided composition rules is 540b5417b5ecb522715fd4bb30f412912038900bd4ba949ea6130c8cb3c16012. There are 37 octets in the password. You know the length. You know the composition rules. You have an unsalted hash. It's only 77 or so bits of entropy. Get cracking, I'll wait.
The title kind of implies that silent sudo passwords have been a part of Ubuntu for the last 46 years.
I've never once thought I wish I could see password characters when typing sudo.
It feels like dumbing down the cli.
But I don't know if this is an elder millenial walk up hill in the snow both ways kind of thing though.
Am I alone in this?
Secure keyboard tty entry interaction by the terminal should manage this rather than implement it in one app. Another advantage of this method is that such affordances can be generated or silenced locally, and it's code that can be shared when used with passwd, pinentry, etc. and sudo rather than implemented N times.
They could give feedback about key presses without giving away the password length quite easily
> sudo password is the same as their login password — one that already appears as visible placeholder dots on the graphical login screen. Hiding asterisks in the terminal while showing them at login is, in the developers’ estimation, security theatre.
So hide the first one as well? But also, that's not true, not all terminal passwords are for local machine
> Confusing — appears frozen
So make it appear flashing? Still doesn't need to reveal length
This is literally never identified as an issue in any other system processing passwords. This feels like a debate by someone who once thought they had a clever idea and can’t let go despite everyone telling them it’s awful.
Feels like you're talking to your own strawman re. whether hiding password length makes sense, which I specifically didn't address, only pointed out that the arguments I've quoted do not support the change.
Is there any reason to have this feature enabled for millions of desktop users vs enable by appropriately paranoid corporate IT departments?
The reason is to protect the innocent, of course, they're mostly clueless about security! But I don't know the level of practical benefits for this measure, superficially seems to be rather low, but then (assuming silly usability issues like "appears frozen" are fixed) what's the downside?
Millions of desktop users would use empty password if they could.
Most of them would be well enough served by that too. It used to be normal and perfectly suitable for most home users.
Modern password ui also gives the option to toggle the actual letters on so you can verify that you are actually typing the right thing. Hopefully that doesn't take another 46 years.
Oh yeah, let's echo passwords on-screen! Genius! What could possibly go wrong?
Just as you get used to something crazy after two decades, have kids, and are about to unleash it on them, it gets fixed. Will there be no boomer pleasures left for us millennials?
Kids want everything done their way because the way we did it is obviously wrong and old. This has always has been the case.
Is this really the thing we're complaining about though? There's a lot more annoying things in Linux, rather than whether or not I see dots when I login...
How about all the daemons that double log or double timestamp on systemd machines?
I've been using a two character password since the last 10 years of my 23 year linux usage; I log in to console and manually start X. Guess the shame will catch up now.
Love "manually start X", because I've been considering just doing that. In some weird sense it seems easier.
You can choose the middle ground and start X in whatever file is executed by your shell at login, after checking that X is not already running and that the login has not been done remotely through SSH. Instead of using "startx" (which on a properly configured system would also start whatever desktop environment you use), you can use the start program of your desktop environment, for instance I use XFCE, whose starting program is "startxfce4".
This eliminates the need to do the start manually when you login, but like after a manual start you can stop the GUI session, falling back into a console window, and then you can restart the GUI if needed.
I prefer this variant and I find it simpler than having any of the programs used for a GUI login, which have no advantage over the traditional login.
Funny. But I have to say the shaming of users who have different opinions or want to make different choices (the whole point of free software) is one of the saddest development in the free software world, such as the push for BSD replacements for GPL components, the entanglement of software components in general, or breaking of compatibility, etc. No matter whether you stand, that it is becoming harder to choose components in your system to your liking should give everybody pause. And if your argument involves the term "Boomer" because you prefer the new choice, you miss the point. Android should be a clear warning that we can loose freedoms again very quickly (if recent US politics is not already a warning enough).
Sadly everyone wants convenience. Nobody hates MS because they are bad, they hate them because they are inconvenient. People are missing the fact that Google is exactly where MS was in the 90s and is most definitely as bad if not worse. I hate android sadly linux isn't looking too good rigt now on mobile.
Devs are are missing the point with linux on phone. Get the point part working first lol so that people have some incentive to carry the damned thing. Apps come later
Mobile is a problem. I had a beautifully Linux phone once, the Nokia N9. It is incredibly sad knowing how the world could look.
* phone part
The phone part has been working for decades now; I know cause I've been relying on it for nearly 20 years now on various devices.
You could reproduce your UX by switching to a 0-length password.
I don’t know why this keeps coming up. Has this been a big deal for everyone else? Like ok usability improvement, but the number of times I have read an article about this is silly.
If it is a new tool, why not call it something else than sudo?
The expectation with sudo is silent passwords.
Because if you name it something different it's harder to do the "extinguish" step of "embrace, extend, extinguish".
That site is terrible without ads blocked… it’s like a local newspaper site, you had to try and read the content in small snippets wedged between ads!
For more than four decades, typing a password after a sudo prompt in a Linux terminal
What?!
2026 minus 46 is 1980. There was no Linux, at all, in 1980.
Someone is quite confused.
sudo is from 1980, that's probably what they meant
https://www.sudo.ws/about/history/
Good. It's terrible UX.
The security argument is a red herring. It was originally built with no echo because it was easier to turn echo on and off than to echo asterisks. Not for security.
You got some sources or did you just make that up?
Because to hell with UX when it comes to security. Knowing the exact length of a password absolutely makes it significantly less secure, and knowing the timing of the keystrokes doubly so.
Yet somehow, none of the other high security tools I have ever interacted with seem to do this for some reason. No auditor flags it. No security standard recommends hiding it.
But SUDO is the one bastion where it is absolutely essential to not offer hiding keystrokes as an obscure config option, but enable for everyone and their mother?
And once you start adding these accessibility problems, people will respond by using weaker passwords.
Bad security UX that results in users bypassing security mechanisms entirely is probably the single biggest source of real-world security problems.
> Because to hell with UX when it comes to security.
I don’t think you have any idea how wrong you are.
> easier to turn echo on and off than to echo asterisks.
One implies the other. You turn echo off. Then you write asterisks.
> Not for security.
Consider the case of copy and pasting parts of your terminal to build instructions or to share something like a bug report. Or screen sharing in general. You are then leaking the length of your password. This isn't necessarily disastrous for most use cases but it is a negative security attribute.
> One implies the other. You turn echo off. Then you write asterisks.
That's not how it works. Sudo turns off echo but otherwise keeps the terminal in it's normal cooked canonocal mode, meaning sudo only sees what you've entered after you hit enter. To print asteriks as you type requires putting the terminal in raw mode, which has the addition consequence of needing to implement shit like backspace yourself. Still a UX win worth doing, but it's pretty clear that skipping that and just disabling echo is an easier lazier implementation.
You're correct, but, the echo and canonical mode flags are literally in the same termios structure member. One is no more complicated to change than the other. You can also easily switch to character at a time read() which makes handling backspace, erase or kill exceedingly simple.
I still doubt the claim the scheme employed by sudo was done because it "was easier."
The first is like 3 lines of code, to get the attrs, disable the echo flag then set the attrs again. The second is.. I don't know probably about twenty lines of code to handle the primitive line editing yourself and also asterisk printing. In my view, this is enough of a difference to motivate a conclusion that the first is good enough. Also note that this decision was made back in the early 70s when login was first implemented, and it established a convention which was very easy and convienent to carry forward to su and later sudo.
I would be worried more about leaking the timing of the key presses.
Leaking the length of your password is about as bad for security as leaking the fact that you have a password, or that you use sudo.
It narrows down the brute force domain by several orders of magnitude
No, it doesn't. The set of all passwords of exactly length N is about 1% smaller than the set of all passwords up to and including length N.
The point is that you know that the password is not longer than N.
This indeed reduces the search domain by many orders of magnitude, i.e. by more than an order of magnitude for each character that you now know that it is not used by the password.
Knowing the length of the password does not matter only in antediluvian systems, which had severe restrictions on the length of a password, so you already knew that the password is no longer than, e.g., 8 characters.
Bruteforce search in increasing length order will find the password in within 1% of the same amount of time
> is about 1% smaller
Isn't it 10%?
If there are 9 different characters that can be in a password.
That's obviously false. It narrows it down less than a factor the length of the password, so unless your password is several orders of magnitude, it lowers narrows by a factor of ~8.
That is obviously true, not false.
If you know that a password is no longer than, e.g., 10 characters, that narrows down the search domain by many, many orders of magnitude, in comparison with the case when you did not know this and you had to assume that the password could have been, e.g. 18 characters long.
If you test the possible passwords in increasing length, then knowing the length would not shorten much the search, but not knowing the length may prevent an attempt to search the password by brute force, as such an attempt would fail for longer passwords, so it is not worthwhile to do unless success is expected.
With modern hashing schemes, which require both a lot of time and a lot of memory for each tested password, even one extra character in the password can make the difference between a password that can be cracked in a useful time and one that would take too much time to crack, so knowing the length can be very important for the decision of an attacker of trying the exhaustive search approach.
Knowing the length is less important only for the users who are expected to choose easy to guess passwords, as there are much less of those than the possible random passwords.
It's fun, leading edge Linux distros (e.g. GNOME OS) are actually currently removing `sudo` completely in favour of `run0` from systemd, which fixes this "properly" by using Polkit & transient systemd units instead of setuid binaries like sudo. You get a UAC-style prompt, can even auth with your fingerprint just like on other modern OSes.
Instead of doing this, Ubuntu is just using a Rust rewrite of sudo. Some things really never change.
You make it sound like there was a discussion where they looked at these two alternatives and chose improving sudo over using run0. Actually I just submitted a patch for this and they accepted it. I don't work for Ubuntu and I didn't even know run0 existed until now (it does sound good though; I hope they switch to that).
Why is running a command as an ephemeral systemd unit better? Just curious, I don't have an opinion one way or the other.
Without knowing more, creating a transient unit just to run a single shell command seems quite roundabout.
It's possible to auth with your fingerprint (or even a YubiKey) in sudo. It's a functionality provided by PAM, after all.
Ubuntu truly are masters of going all in on being different in a worse way, only to about face soon thereafter.
You'd think by now they'd have learned, but apparently not.
Courage to be different is an open door to creativity.
Yes, it means going in a wrong direction sometimes as well: that's why it takes courage — success ain't guaranteed and you might be mocked or ridiculed when you fail.
Still, Ubuntu got from zero to most-used Linux distribution on desktops and servers with much smaller investment than the incumbents who are sometimes only following (like Red Hat).
So perhaps they also did a few things right?
(This discussion is rooted in one of those decisions too: Ubuntu was the first to standardize on sudo and no root account on the desktop, at least of mainstream distributions)
Ubuntu became the most used because they were the first to really dumb down the install process. No insult intended, it was my first distro as well. If you weren't around, it was rather stark. Most others had install media that just loaded a curses based install menu, asking you about partioning. Ubuntu gave you a live environment and graphical installer, which didn't ask any hard questions... way ahead of their time.
Nobody picked Ubuntu because of Mir, or Compiz, or Upstart(or snaps, while we're on the topic). They were obvious errors. That it's popular doesn't negate that fact.
I'd say good hw support, no nonsense live installer, and free CDs worldwide got their foot in the door. And 6 months release cycle matching GNOME + 2 months.
Mir/Compiz/Snaps came much-much later (snaps are as much a mistake as flatpak is: they make sense, but are notoriously expensive to make; Unity was a better UX than Gnome Shell 3, but it did not pay...).
However, none of this explains Ubuntu's penetration on cloud servers.
Canonical was actually solving exactly the same problems Red Hat was, just with much lower investment. Their wins made them dominant, their losses still allowed them to pivot to new de facto standards (like systemd too).
> Ubuntu became the most used because they were the first to really dumb down the install process.
That is an urban myth relayed by people who weren't even using Ubuntu in its early days.
Other distros were as easy to install as Ubuntu even before Ubuntu was founded. Besides Ubuntu was using the then experimental debian installer you could already use with a regular debian. They just shipped it on the default CD image earlier than debian did.
What they did to be on top was using Mark shuttleworth's money to ship an insane amount of free install CDs to anyone asking for them which meant that for a small period of time, when most people were on dial up internet ISDN and shitty ADSL, Ubuntu went suddently to be the number one distro installed. A friend, family member or coworker was curious about Linux? You'd hand him one of the fifty Ubuntu CDs you had lying around. I know I was one of those handing out CDs left and right. It was a time when to get an install CD without broadband you'd have to buy a magazine, and you didn't get to choose which distro was featured each month, a book or a boxset (not available everywhere). Later all those many early ubuntu adopters became ubuntu evangelists.
But bar a few exceptions like slackware, debian with the default vanilla installer or gentoo, there was nothing particular about the ubuntu install experience compared to other distros. Mandrake, Corel Linux ans Xandrows for example provided super easy install experience even before Ubuntu became a thing.
While Ubuntu did build on Debian testing/unstable, they did invest in building the GUI on top of everything, paying salaries for a few Debian developers.
With a very slim team (I am guessing 15-30 in the first couple of years), they picked Python as the go to language and invested heavily in development tooling making it possible for them to innovate and pivot quickly. Yes, they grew to a mid size company of 500-1000 over time, but also expanded into many different areas.
Perhaps one can also make a case for them effectively starting and killing a number of projects akin to Google, except they usually made them open source, and some live on as volunteer efforts (eg. ubuntu touch).
The free CDs they sent worldwide to whoever asked was huge too.
> You'd think by now they'd have learned, but apparently not.
No. Suffering is the crucial part of virtue signaling, so bugs in slop rewrites are a feature, not a bug.
How can you stop it asking your password every single time? I asked my LLM and it hallucinated Javascript at me.
Gnome is known for shitty UX, breaking stuff every release and refusing to fix stuff since Gnome3.
Is "GNOME OS" really a leading distro?
I think they mean "leading edge".
Losing edge.
Could we not have used braille patterns? Start on a random one and you can just replace the character with the next one so it is possible for the user to see something was entered, but password length isn't given to someone looking over the user's shoulder?
⣾, ⣽, ⣻, ⢿, ⡿, ⣟, ⣯, ⣷
That seems like it would be hard to see, even for the person sitting right in front of it.
why can't they just look at the keyboard...
46 years of silent sudo passwords.. it just demonstrates how crazy this world is, if this is considered news. It means the code is a living fossil and people live with that fact, instead of demanding (infinite and instant) control over their systems.
This reminds me. Linux was already a fossil, except for some niches, but now in the age of AI, the fact that code can't be updated at will (and instead has to go through some medieval social process) is fatal. Soon the age will be here where we generate the necessary OS features on the fly. No more compatibility layers, no more endless abstractions, no more binaries to distribute, no more copyright, no need to worry about how "the others" use their systems, no more bike shedding. Instead, let the system manage itself, it knows best. We'll get endless customization without the ballast.
It's time to set software free from the social enclosures we built around it.
I'm excited about the future of mutable software, but sudo isn't exactly the kind of thing you want to be patching on-the-fly.