Ubuntu 26.04 Ends 46 Years of Silent sudo Passwords

Posted by akersten 16 hours ago

Ubuntu 26.04 Ends 46 Years of Silent sudo Passwords(pbxscience.com)

210 points | 238 commentspage 2

goodcanadian 12 hours ago|

Fascinating . . . reading the comments, it seems like the vast majority think this is a long overdue change. For myself, it never occurred to me that there was any issue and I'm slightly unsettled by the change (i.e. it is far from obvious to me that it's a good thing). It is not something I've thought deeply about, of course.

ahofmann 12 hours ago||

Because you long forgot how confusing it was, that you can't see if your keystrokes are accepted by the machine. This is a change for people, that are new to Linux/Unix

opan 7 hours ago|||

Worse than this issue, but kind of related, sometimes TTY1 (and maybe also the other TTYs) is being spammed by log info on boot, and if you have a TTY login it isn't obvious you can just log in anyway. Had a friend using Arch+i3 with TTY login, pretty new to GNU/Linux in general, so he kinda threw up his hands like "ah dang, can't log in, it's broken". I tried to tell him to just type his credentials anyway, but he didn't get what I was saying at first. Took a bit before we got him logged in and could address the other issues. I've had similar issues on my machines. I once had kernel log verbosity cranked up by accident, copied my config from another machine where I was chasing a GPU bug. Well, the same settings on the other machine were presenting way worse, constant never-ending line-spam, before and after login. Had to get into a graphical environment half-blind to see what I was doing and then turn down the verbosity. IMO there should be an easier way around that.

pas 4 hours ago||

kernel cmdline arguments set in the bootloader? though I'm not sure which has precedence

fortyseven 10 hours ago|||

Good things always happen when you cater to the lowest common denominator.

antisol 7 hours ago|||

I expect there's an audience selection bias at work: Fewer greybeards and more spiky haired teens reading HN.

I think it's an awful idea. Apart from making things less secure it also makes sudo's UX inconsistent with most of the other coreutils. Luckily, I don't plan on doing any more ubuntu installs.

the_real_cher 5 hours ago||

Just so you know. I feel the same way!

pvillano 3 hours ago||

How much information is there in knowing the length of someone's password?

If we know the password's length, it saves us from guessing any shorter passwords. For example, for a numeric password, knowing the length is 4 saves us from having to guess [blank], 0-9, 00-99 and 000-999. This lowers the number of possibilities from 1111 to 1000. The password has 90% of it's original strength. A [0-9a-zA-Z] password retains 98% of it's original strength

notlenin 3 hours ago|

For any given alphabet A, and for any positive integer n, the set of strings of length n over A is a finite set, with (number of characters in A)^n elements.

The set of all strings, of any length over A, is an infinite set, because it is the union of all sets of strings of length n for each positive integer n.

So if you don't know the length of the password, there are infinite possibilities. If you do know the length of the password, there are only finite possibilities.

Which would in turn imply that there is an infinite amount of information in knowing the length of a password - the complement of the set of n-length strings over A in the set of strings over A contains an infinite number of elements, which you can safely exclude now that you know the password is part of the finite set of n-length strings over A.

timhh 13 hours ago||

I did this!

I didn't actually know that Mint had enabled this by default. That would have been a useful counterpoint to the naysayers.

If you want the original behaviour you don't actually need to change the configuration - they added a patch afterwards so you can press tab and it will hide the password just for that time.

> The catalyst for Ubuntu’s change is sudo-rs

Actually it was me getting sufficiently pissed off at the 2 second delay for invalid passwords in sudo (actually PAM's fault). There's no reason for it (if you think there is look up unix_chkpwd). I tried to fix it but the PAM people have this strange idea that people like the delay. So I gave up on that and thought I may as well try fixing this other UX facepalm too. I doubt it would have happened with the original sudo (and they said as much) so it did require sudo-rs to exist.

I think this is one of the benefits of rewriting coreutils and so on in Rust - people are way more open to fixing long-standing issues. You don't get the whole "why are you overturning 46 years of tradition??" nonsense.

If anyone wants to rewrite PAM in Rust... :-D

https://github.com/linux-pam/linux-pam/issues/778

1718627440 15 minutes ago||

> There's no reason for it

The reason is to add a delay when bruteforcing passwords.

9dev 13 hours ago|||

> If anyone wants to rewrite PAM in Rust... :-D

If you do, offer support for writing modules in a scripting language like Lua or Python. PAM could make it a lot easier to just add OAuth with your company IdP, for example…

tetha 12 hours ago||

Ah, but then you choose the wrong language or language runtime and distros ship old versions for 10+ years :)

(compare: polkit. Both sides have their point, but I've been annoyed by this standoff a few times).

yonatan8070 13 hours ago|||

Pretty sure the 2s delay is designed to slow down brute-forcing it.

timhh 13 hours ago||

Not for local password authentication.

https://github.com/pibara/pam_unix/blob/master/unix_chkpwd.c...

onraglanroad 8 hours ago||

Yes, for local password authentication.

The code you linked to isn't the code for a wrong password. It's a check to make sure you're using a TTY. That code isn't to prevent brute force. The delay there is 10 seconds.

The 2 second delay is in support.c at https://github.com/pibara/pam_unix/blob/5727103caa9404f03ef0...

It only runs if "nodelay" is not set. But you might have another pam module setting its own delay. I have pam_faildelay.so set in /etc/pam.d/login

Change both the config files and you can remove the delay if you want.

timhh 5 hours ago||

> Yes, for local password authentication.

It's really really not. By default PAM has a difficult-to-disable 2ish second minimum delay for all authentication methods. However this is completely pointless for local password authentication because PAM checks password using unix_chkpwd, which has no delay. The comment I linked to is explaining that unix_chkpwd has a silly security theatre delay if you try to run it in a tty, but that's trivial to avoid.

If you want to brute force local password authentication you can just run unix_chkpwd as fast as you like. You don't need to involve PAM at all, so its 2 seconds delay achieves nothing.

It maybe does more for remote connections but I'm not sure about that either - if you want to check 10k ssh passwords per second what stops you making 10k separate connections every second? I don't think the 2 second delay helps there at all.

> Change both the config files and you can remove the delay if you want.

This is extremely complicated. See the comments in the issue for details.

onraglanroad 1 hour ago||

No, it's very simple. Do what I said in my comment. Add nodelay to the options for pam_unix.so and set pam_faildelay.so delay=0

That's it. You didn't link to any issue and the weird mistakes and justifications you're making feels like arguing with an LLM.

You obviously can't run unix_chkpwd against a local account without root.

egorfine 8 hours ago||

> You don't get the whole "why are you overturning 46 years of tradition??" nonsense

Respectfully, we are the opposing sides of the barricades here. I was removing sudo-rs, uutils and some of the systemd-* packages from fresh Ubuntu installations until the amount of virtue signaling got really tiresome.

Currently almost no Ubuntu left in my production. Hopefully Debian will not package those.

PS: Rust is awesome!

jiehong 10 hours ago||

This fixes another issue with that if you make a typo in your password, you don't know how many characters you need to delete, but now you would.

opan 7 hours ago|

I find it's usually faster to hit ctrl-u and start over anyway.

mgbmtl 3 hours ago|||

I have a really long passphrase in keepassxc. I often try to type it, fail 50% of the time, display the password, fix the typo. I would not use a long passphrase otherwise. (I understand there are other risks, such as having spyware that is recording my screen, but my main worry is for the safety of the file itself)

I know sudo-rs will likely not allow viewing the password in the short term, but the benefit to being able to have some visual feedback, is that it lets me use a more complex password.

Other example: if I'm on a ssh link with very high latency (ex: on a phone), I might type one character at the time, make sure they register correctly, and continue. If I can't do that, then I'll type the password in a text editor, then copy-paste it into the password prompt.

the_real_cher 5 hours ago|||

That's been my solution too and it's never been an issue for me tbh.

Havoc 11 hours ago||

This was actually the thing that derailed my first attempt at Linux. I was like 14 or 15 and didn’t understand that concept so couldn’t log in lol

qnleigh 1 hour ago|

I hope any hold-outs who aren't convinced yet will be after reading this comment!

Did you wind up sticking with Windows (or Mac) for a long time after this? How long until you tried again?

prmoustache 11 hours ago||

How many people with a loud mechanical keyboard shut their microphone to type a password whem sharing their screen in an audio/video call?

mikkupikku 3 hours ago||

A good life hack I figured out is to smear your laptop camera and microphone with sticky tack, not to totally disable them but to insufferably degrade them, then after a few attempts you can be excused from the expectation of ever appearing on video calls and can disable both permanently.

opan 7 hours ago||

If you start by hitting backspace a few times and/or typing random characters and deleting them (to make sure the keyboard's working and sending your inputs where you think) it should obscure the length somewhat.

justsomehnguy 1 hour ago||

Hitting Home, End and Ins would "add" another 3 characters yet would not change the password. A full 100+ keyboard needed.

leni536 14 hours ago||

sudo is not the only thing that prompts for password in the terminal. There is at least passwd and ssh.

I value ctrl+U a lot more for password prompts than the visual feedback, it's even used by GUI on Linux.

timhh 13 hours ago|

Yeah I would like to fix those too but sudo is the one I encounter most. Also the existence of sudo-rs meant there was less push-back. I seriously doubt the maintainers of openssh or passwd would accept this change.

Gabrys1 3 hours ago||

BTW, you can also enable the PW feedback on the classic sudo. I've done that on one of my hosts

SkyeCA 3 hours ago||

This is a good UX change, one of many UX improvements needed on CLIs.

Not showing feedback on user input is objectively confusing for inexperienced users.

johnisgood 3 hours ago|

> and further adoption of Rust-based core utilities — including uutils/coreutils

Is it usable now? Do all utilities support all of GNU's features (or most)?

Aeolos 1 hour ago|

95% of the test suite is passing today, so it's pretty close: https://github.com/uutils/coreutils-tracking/blob/main/gnu-r...

There is a list of open items here, it's looking pretty good tbh: https://github.com/orgs/uutils/projects/1

More comments...