Installed Ubuntu 26.04 for the first time.
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter noticed this too in the dev channel. Asked co-worker what was differrent, he pointed out exactly the same.
But, ya know, it's way more securest 'cuz it's now built in Rust!!!
-
@jimsalter noticed this too in the dev channel. Asked co-worker what was differrent, he pointed out exactly the same.
But, ya know, it's way more securest 'cuz it's now built in Rust!!!
@brnrd @jimsalter theres no reason to make it sound like rewriting an app on rust is not inherently now secure.
As far as i understood the interview i read showing asterisks as you type in the password was a conscious decision in and of itself.
-
@jimsalter Definitely a major whoopsie.
I mean, it's possible that they made this choice in the name of user friendliness and would stand behind that.
I'll bet you could put a bee in the bonnet of responsible folks at Canonical. Might be worth at least hearing their reasoning on this.
I used Ubuntu for about 10 years.
But when they migrated to the snap package manager, I decided that they were no longer "reasonable".
I shopped for attractive alternatives, and for the last few years have been running Linux Mint Debian Edition (LMDE), which has been better overall. (Also: no asterisks in my TTY password entry.)
-
@jimsalter Definitely a major whoopsie.
I mean, it's possible that they made this choice in the name of user friendliness and would stand behind that.
I'll bet you could put a bee in the bonnet of responsible folks at Canonical. Might be worth at least hearing their reasoning on this.
@feoh @jimsalter it is a design decision made by sudo-rs for UX reasons, yeah https://github.com/trifectatechfoundation/sudo-rs/issues/1300
-
@feoh @jimsalter it is a design decision made by sudo-rs for UX reasons, yeah https://github.com/trifectatechfoundation/sudo-rs/issues/1300
@aburka @jimsalter Thanks for that.
Seems like you can disable this by setting 'pwfeedback' in your sudoers.
Interesting discussion on that issue.
-
I used Ubuntu for about 10 years.
But when they migrated to the snap package manager, I decided that they were no longer "reasonable".
I shopped for attractive alternatives, and for the last few years have been running Linux Mint Debian Edition (LMDE), which has been better overall. (Also: no asterisks in my TTY password entry.)
@johnlogic @jimsalter Glad you found something that works for you.
-
@johnlogic @jimsalter Glad you found something that works for you.
@feoh by the way, atari800 BASIC works pretty well on LMDE; I still enjoy playing with it.
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter Maybe I'm wrong but not exposing password length seems like security theater to me. If someone types a strong 20 character random password or a 7-8 word diceware password, it won't really matter if the length is exposed. If someone types a weak 4 character password or uses something easily guessable, they're in trouble.
Besides, if someone is close enough to discern the password length by looking at those asterisks, they might be close enough to see or hear someone type and discern the length even if there are no visible asterisks.
-
@feoh by the way, atari800 BASIC works pretty well on LMDE; I still enjoy playing with it.
@johnlogic atari800 works great everywhere
That's one of its virtues.You might also consider looking at Fujisan - https://github.com/pedgarcia/fujisan/ if you want to add networking to your emulated #atari8bit enjoyment!
-
@jimsalter Maybe I'm wrong but not exposing password length seems like security theater to me. If someone types a strong 20 character random password or a 7-8 word diceware password, it won't really matter if the length is exposed. If someone types a weak 4 character password or uses something easily guessable, they're in trouble.
Besides, if someone is close enough to discern the password length by looking at those asterisks, they might be close enough to see or hear someone type and discern the length even if there are no visible asterisks.
@ayushnix there's a significant difference between the entropy of a "roughly eight to twelve, I think?" character line noise secret, and a "precisely eleven character" line noise secret. The length also gives you a very strong clue whether you are looking at characters or words as tokens in the secret, more lost entropy.
Don't get me wrong, this isn't the end of the world. But I don't *like* it. IMO this is a dumbing-down, and not a good one.
-
@jimsalter Definitely a major whoopsie.
I mean, it's possible that they made this choice in the name of user friendliness and would stand behind that.
I'll bet you could put a bee in the bonnet of responsible folks at Canonical. Might be worth at least hearing their reasoning on this.
@feoh pretty sure it boils down to "rust rewrites are the new hotness so we dropped sudo-rs in where sudo used to be."
In fairness to sudo-rs, that project is in part trying to simplify things from classic sudo, which is rather crufty with decades of often inadvisable feature creep.
I'm cool with getting on board THAT part of the train but I'm not happy about the asterisks.
-
@feoh pretty sure it boils down to "rust rewrites are the new hotness so we dropped sudo-rs in where sudo used to be."
In fairness to sudo-rs, that project is in part trying to simplify things from classic sudo, which is rather crufty with decades of often inadvisable feature creep.
I'm cool with getting on board THAT part of the train but I'm not happy about the asterisks.
@jimsalter I get it, and I even get being grumbly about YET ANOTHER configuration tweak you need to make to have Ubuntu operate within your version of accepted norms, but at LEAST it's configurable and there's a clear and unambiguous way to set it back to prior behavior.
They could pull a systemd ... "All bets are off. Like it or lump it!"
-
@jimsalter I get it, and I even get being grumbly about YET ANOTHER configuration tweak you need to make to have Ubuntu operate within your version of accepted norms, but at LEAST it's configurable and there's a clear and unambiguous way to set it back to prior behavior.
They could pull a systemd ... "All bets are off. Like it or lump it!"
@feoh yeah, "shutdown -r now" also stopped working in 26.04, because either you're a regular user without privileges to do so, or you're root *but your TTY under your real UID* is used as an excuse to prevent you.
Either way, you're left to use systemctl with weird arguments (like there's any other fucking way to use systemctl) to restart your system from the command line, because shutdown has been unceremoniously made useless without actually being removed.
-
@feoh yeah, "shutdown -r now" also stopped working in 26.04, because either you're a regular user without privileges to do so, or you're root *but your TTY under your real UID* is used as an excuse to prevent you.
Either way, you're left to use systemctl with weird arguments (like there's any other fucking way to use systemctl) to restart your system from the command line, because shutdown has been unceremoniously made useless without actually being removed.
@jimsalter Whoa. Now THAT is gonna break an awful lot of muscle memory!
-
@feoh yeah, "shutdown -r now" also stopped working in 26.04, because either you're a regular user without privileges to do so, or you're root *but your TTY under your real UID* is used as an excuse to prevent you.
Either way, you're left to use systemctl with weird arguments (like there's any other fucking way to use systemctl) to restart your system from the command line, because shutdown has been unceremoniously made useless without actually being removed.
@jimsalter @feoh systemctl reboot doesn't work either?
Man those Ubuntu people are really on a roll recently.
-
In short, I miss the unix philosophy. The Linux world seems to have almost entirely forgotten it. And all this LLM bollocks is the very literal and exact opposite!
-
@jimsalter @feoh systemctl reboot doesn't work either?
Man those Ubuntu people are really on a roll recently.
-
@jimsalter @rl_dane AND YOU KIDS GET OFF JIM'S LAWN!
I wonder if the problem is that we're aging out.
Maybe there aren't enough people actually still actively contributing to open source who remember the Bad Old Days when every vendor had a brain wave about every aspect of the system and Everything Was Terrible.
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter It disappears when you press <enter> so if you allowed someone to watch you typing, that seems a greater risk.
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter https://documentation.ubuntu.com/release-notes/26.04/changes-since-previous-interim/
sudo-rs
Password feedback is now enabled by default in order to improve the user experience of sudo. If the previous behavior is preferred...
"improving the user experience of sudo" is a lame reason for them to make pwfeedback default now. Yes, its an easy change to revert that, but still...
