These servers I had an account setup too were, from what I observed, partially linked with the authentication mechanism used by the VPN and IAM services. Like they'd have this mandatory password reset process and sometimes sudo was set to that new password, other times it was whatever was the old one. Couple that with the high latency connection and password authentication was horrible. You would never know if you mistyped something, or the password itself was incorrect or the password you pasted went through or got double pasted.
I think this is a great addition, but only if it leads to redhat adopting it which is what they were running on their VMs.
But you should not type sudo passwords on remote machine. Instead setup your machinr to have nopassword for special sdmin account and enable pubkey only authentication.
If you are on a high latency ssh connection and your password does not register, you most likely mistyped it.
The passwords get updated irregularly with the org IAM so you aren't sure what the password even is. Pasting doesn't work reliably sometimes, if you're on windows you need to right click to paste in terminals, sometimes a shortcut works. Neither gives me any feedback as to what event was ever registered though.
In the modern world there is no plausible scenario where this would compromise a password that wouldn't otherwise also be compromised with equivalent effort.
Only if length is known. Which is true now. So it opens the gates to try passwords of specific known length.
For ascii at 95 printable chars you get 0.9894736842. Makes intuitive sense as the "weight" of each digit increases, taking away a digit matters less to the total combos.
Maybe I'll start using one Japanese Kanji to confuse would be hackers! They could spend hours trying to brute force it while wondering why they can't crack my one letter password they saw in my terminal prompt. ;)
In the early days we all shared computers. People would often stand behind you waiting to use it. It might even not have a screen, just a teletype, so there would be a hard copy of everything you entered. We probably didn't have account lockout controls either. Knowing the length of a password (which did not tend to be long) could be a critical bit of info to reduce a brute force attack.
Nowadays, not so much I think. And if you are paranoid about it, you can still set it back to the silent behaviour.
Or, we could just look at the keyboard as they type and gain a lot more information.
In an absolute sense not showing anything is safer. But it never really matters and just acts as a paper cut for all.
Have you ever watched a fast touch typist, someone that does over 100 words per minute? Someone who might be using an keyboard layout that you're not familiar with? When the full password is entered in less than a second it can be very difficult to discern what they typed unless you're actually recording with video.
But sure, if you're watching someone who types with one finger. Yes, I can see that.
Besides, observe that several times and you might get close. Look at the stars several times and learn nothing beyond what you learned the first time.
This whole type of attack hinges on the user using weak passwords with predictable elements in any case.
I thought that was kinda clever; it gives you feedback when your keystrokes are recognized, but it's just enough confusion to keep a shoulder surfer from easily being able to tell the length of your password unless you're hunt-and-pecking every single letter.
Of course, once you do understand that it's just a password prompt, it's great. Completely confuses the hell out of any shoulder surfers, who will for sure think it's a confusing puzzle, and eventually they will get rate limited.
^1: Example of it in use: https://www.youtube.com/watch?v=FvT44BSp3Uc
> That way you can be certain whether or not you entered a character
They can also count the number of keystrokes they heard.
I've seen this demonstrated, using "Cherry" type keyswitches, with about a 75% success rate.
I also knew an old guy who could tell what an ASR33 or Creed teleprinter was printing just by the sound, with "good enough" accuracy, and copy RTTY by ear with "good enough" accuracy.
He didn't really talk about his time in the Royal Signals in the 50s and 60s very much.
"That way you can be certain..." absolutely not.
What's the benefit of having a random character from a random set, instead of just a random character?
I think if I was new to Linux that would confuse the life out of me :)
I didn't actually know that Mint had enabled this by default. That would have been a useful counterpoint to the naysayers.
If you want the original behaviour you don't actually need to change the configuration - they added a patch afterwards so you can press tab and it will hide the password just for that time.
> The catalyst for Ubuntu’s change is sudo-rs
Actually it was me getting sufficiently pissed off at the 2 second delay for invalid passwords in sudo (actually PAM's fault). There's no reason for it (if you think there is look up unix_chkpwd). I tried to fix it but the PAM people have this strange idea that people like the delay. So I gave up on that and thought I may as well try fixing this other UX facepalm too. I doubt it would have happened with the original sudo (and they said as much) so it did require sudo-rs to exist.
I think this is one of the benefits of rewriting coreutils and so on in Rust - people are way more open to fixing long-standing issues. You don't get the whole "why are you overturning 46 years of tradition??" nonsense.
If anyone wants to rewrite PAM in Rust... :-D
If you do, offer support for writing modules in a scripting language like Lua or Python. PAM could make it a lot easier to just add OAuth with your company IdP, for example…
(compare: polkit. Both sides have their point, but I've been annoyed by this standoff a few times).
https://github.com/pibara/pam_unix/blob/master/unix_chkpwd.c...
I value ctrl+U a lot more for password prompts than the visual feedback, it's even used by GUI on Linux.
A space with a cursor instead of an asterisk would make it harder to count the Chars
Adding a random 1 to 3 output chars instead of one would obfuscate this even more.
A delayed output could make you submit the password prompt before showing anything.
A single asterisk that switches back to space after 250ms inactivity may even be better.
I don't know, but somehow this feels underthought even if it probably is not. Simple is probably the best approach
Users expect to see exactly 1 new char (either the key pressed or an asterix) when they type something. Seeing up to three chars appearing or disappearing after some time imho is worse than what we have today.
⣾, ⣽, ⣻, ⢿, ⡿, ⣟, ⣯, ⣷
The crazier part is Ubuntu using a pre-1.0 software suite instead of software that has been around for decades. The switch to Rust coreutils is far too early.
Do you have some data to back that up? Because I doubt it’s literally 0. I make this point because we shouldn’t talk about absolutes when discussing security.
Fo example, Knowing a password length does make it easier to crack a password. So it’s not strictly “security theatre”.
So the real question isn’t whether it has any security benefit; it’s more is the convenience greater than the risk it introduces.
Framing it like this is important because for technical users like us on HN, we’d obviously mostly say the convenience is negligible and thus are more focused on the security aspect of the change.
But for the average Desktop Ubuntu user, that convenience aspect is more pronounced.
This is why you’re going to see people argue against this change on HN. Simply put, different people have different risk appetites.
apt install sudo-ws
apt remove coreutils-from-uutils --allow-remove-essential
So hide the first one as well? But also, that's not true, not all terminal passwords are for local machine
> Confusing — appears frozen
So make it appear flashing? Still doesn't need to reveal length
This eliminates the need to do the start manually when you login, but like after a manual start you can stop the GUI session, falling back into a console window, and then you can restart the GUI if needed.
I prefer this variant and I find it simpler than having any of the programs used for a GUI login, which have no advantage over the traditional login.
How about all the daemons that double log or double timestamp on systemd machines?
What?!
2026 minus 46 is 1980. There was no Linux, at all, in 1980.
Someone is quite confused.
The security argument is a red herring. It was originally built with no echo because it was easier to turn echo on and off than to echo asterisks. Not for security.
Because to hell with UX when it comes to security. Knowing the exact length of a password absolutely makes it significantly less secure, and knowing the timing of the keystrokes doubly so.
But SUDO is the one bastion where it is absolutely essential to not offer hiding keystrokes as an obscure config option, but enable for everyone and their mother?
I don’t think you have any idea how wrong you are.
One implies the other. You turn echo off. Then you write asterisks.
> Not for security.
Consider the case of copy and pasting parts of your terminal to build instructions or to share something like a bug report. Or screen sharing in general. You are then leaking the length of your password. This isn't necessarily disastrous for most use cases but it is a negative security attribute.
That's not how it works. Sudo turns off echo but otherwise keeps the terminal in it's normal cooked canonocal mode, meaning sudo only sees what you've entered after you hit enter. To print asteriks as you type requires putting the terminal in raw mode, which has the addition consequence of needing to implement shit like backspace yourself. Still a UX win worth doing, but it's pretty clear that skipping that and just disabling echo is an easier lazier implementation.
I still doubt the claim the scheme employed by sudo was done because it "was easier."
If you know that a password is no longer than, e.g., 10 characters, that narrows down the search domain by many, many orders of magnitude, in comparison with the case when you did not know this and you had to assume that the password could have been, e.g. 18 characters long.
If you test the possible passwords in increasing length, then knowing the length would not shorten much the search, but not knowing the length may prevent an attempt to search the password by brute force, as such an attempt would fail for longer passwords, so it is not worthwhile to do unless success is expected.
With modern hashing schemes, which require both a lot of time and a lot of memory for each tested password, even one extra character in the password can make the difference between a password that can be cracked in a useful time and one that would take too much time to crack, so knowing the length can be very important for the decision of an attacker of trying the exhaustive search approach.
Knowing the length is less important only for the users who are expected to choose easy to guess passwords, as there are much less of those than the possible random passwords.
This indeed reduces the search domain by many orders of magnitude, i.e. by more than an order of magnitude for each character that you now know that it is not used by the password.
Knowing the length of the password does not matter only in antediluvian systems, which had severe restrictions on the length of a password, so you already knew that the password is no longer than, e.g., 8 characters.
Instead of doing this, Ubuntu is just using a Rust rewrite of sudo. Some things really never change.
Without knowing more, creating a transient unit just to run a single shell command seems quite roundabout.
echo "$USER ALL=(ALL) NOPASSWD:ALL" | sudo tee "/etc/sudoers.d/$USER"; sudo chmod 0600 "/etc/sudoers.d/$USER"
sudo mkdir -p /etc/polkit-1/rules.d
echo 'polkit.addRule(function(action, subject) { if (subject.isInGroup("sudo") || subject.isInGroup("wheel")) { return polkit.Result.YES; }});' | sudo tee /etc/polkit-1/rules.d/00-nopasswd.rulesYou'd think by now they'd have learned, but apparently not.
Yes, it means going in a wrong direction sometimes as well: that's why it takes courage — success ain't guaranteed and you might be mocked or ridiculed when you fail.
Still, Ubuntu got from zero to most-used Linux distribution on desktops and servers with much smaller investment than the incumbents who are sometimes only following (like Red Hat).
So perhaps they also did a few things right?
(This discussion is rooted in one of those decisions too: Ubuntu was the first to standardize on sudo and no root account on the desktop, at least of mainstream distributions)
Nobody picked Ubuntu because of Mir, or Compiz, or Upstart(or snaps, while we're on the topic). They were obvious errors. That it's popular doesn't negate that fact.
Mir/Compiz/Snaps came much-much later (snaps are as much a mistake as flatpak is: they make sense, but are notoriously expensive to make; Unity was a better UX than Gnome Shell 3, but it did not pay...).
However, none of this explains Ubuntu's penetration on cloud servers.
Canonical was actually solving exactly the same problems Red Hat was, just with much lower investment. Their wins made them dominant, their losses still allowed them to pivot to new de facto standards (like systemd too).
That is an urban myth relayed by people who weren't even using Ubuntu in its early days.
Other distros were as easy to install as Ubuntu even before Ubuntu was founded. Besides Ubuntu was using the then experimental debian installer you could already use with a regular debian. They just shipped it on the default CD image earlier than debian did.
What they did to be on top was using Mark shuttleworth's money to ship an insane amount of free install CDs to anyone asking for them which meant that for a small period of time, when most people were on dial up internet ISDN and shitty ADSL, Ubuntu went suddently to be the number one distro installed. A friend, family member or coworker was curious about Linux? You'd hand him one of the fifty Ubuntu CDs you had lying around. I know I was one of those handing out CDs left and right. It was a time when to get an install CD without broadband you'd have to buy a magazine, and you didn't get to choose which distro was featured each month, a book or a boxset (not available everywhere). Later all those many early ubuntu adopters became ubuntu evangelists.
But bar a few exceptions like slackware, debian with the default vanilla installer or gentoo, there was nothing particular about the ubuntu install experience compared to other distros. Mandrake, Corel Linux ans Xandrows for example provided super easy install experience even before Ubuntu became a thing.
With a very slim team (I am guessing 15-30 in the first couple of years), they picked Python as the go to language and invested heavily in development tooling making it possible for them to innovate and pivot quickly. Yes, they grew to a mid size company of 500-1000 over time, but also expanded into many different areas.
Perhaps one can also make a case for them effectively starting and killing a number of projects akin to Google, except they usually made them open source, and some live on as volunteer efforts (eg. ubuntu touch).
This reminds me. Linux was already a fossil, except for some niches, but now in the age of AI, the fact that code can't be updated at will (and instead has to go through some medieval social process) is fatal. Soon the age will be here where we generate the necessary OS features on the fly. No more compatibility layers, no more endless abstractions, no more binaries to distribute, no more copyright, no need to worry about how "the others" use their systems, no more bike shedding. Instead, let the system manage itself, it knows best. We'll get endless customization without the ballast.
It's time to set software free from the social enclosures we built around it.