Installed Ubuntu 26.04 for the first time.
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter Maybe I'm wrong but not exposing password length seems like security theater to me. If someone types a strong 20 character random password or a 7-8 word diceware password, it won't really matter if the length is exposed. If someone types a weak 4 character password or uses something easily guessable, they're in trouble.
Besides, if someone is close enough to discern the password length by looking at those asterisks, they might be close enough to see or hear someone type and discern the length even if there are no visible asterisks.
-
@feoh by the way, atari800 BASIC works pretty well on LMDE; I still enjoy playing with it.
@johnlogic atari800 works great everywhere
That's one of its virtues.You might also consider looking at Fujisan - https://github.com/pedgarcia/fujisan/ if you want to add networking to your emulated #atari8bit enjoyment!
-
@jimsalter Maybe I'm wrong but not exposing password length seems like security theater to me. If someone types a strong 20 character random password or a 7-8 word diceware password, it won't really matter if the length is exposed. If someone types a weak 4 character password or uses something easily guessable, they're in trouble.
Besides, if someone is close enough to discern the password length by looking at those asterisks, they might be close enough to see or hear someone type and discern the length even if there are no visible asterisks.
@ayushnix there's a significant difference between the entropy of a "roughly eight to twelve, I think?" character line noise secret, and a "precisely eleven character" line noise secret. The length also gives you a very strong clue whether you are looking at characters or words as tokens in the secret, more lost entropy.
Don't get me wrong, this isn't the end of the world. But I don't *like* it. IMO this is a dumbing-down, and not a good one.
-
@jimsalter Definitely a major whoopsie.
I mean, it's possible that they made this choice in the name of user friendliness and would stand behind that.
I'll bet you could put a bee in the bonnet of responsible folks at Canonical. Might be worth at least hearing their reasoning on this.
@feoh pretty sure it boils down to "rust rewrites are the new hotness so we dropped sudo-rs in where sudo used to be."
In fairness to sudo-rs, that project is in part trying to simplify things from classic sudo, which is rather crufty with decades of often inadvisable feature creep.
I'm cool with getting on board THAT part of the train but I'm not happy about the asterisks.
-
@feoh pretty sure it boils down to "rust rewrites are the new hotness so we dropped sudo-rs in where sudo used to be."
In fairness to sudo-rs, that project is in part trying to simplify things from classic sudo, which is rather crufty with decades of often inadvisable feature creep.
I'm cool with getting on board THAT part of the train but I'm not happy about the asterisks.
@jimsalter I get it, and I even get being grumbly about YET ANOTHER configuration tweak you need to make to have Ubuntu operate within your version of accepted norms, but at LEAST it's configurable and there's a clear and unambiguous way to set it back to prior behavior.
They could pull a systemd ... "All bets are off. Like it or lump it!"
-
@jimsalter I get it, and I even get being grumbly about YET ANOTHER configuration tweak you need to make to have Ubuntu operate within your version of accepted norms, but at LEAST it's configurable and there's a clear and unambiguous way to set it back to prior behavior.
They could pull a systemd ... "All bets are off. Like it or lump it!"
@feoh yeah, "shutdown -r now" also stopped working in 26.04, because either you're a regular user without privileges to do so, or you're root *but your TTY under your real UID* is used as an excuse to prevent you.
Either way, you're left to use systemctl with weird arguments (like there's any other fucking way to use systemctl) to restart your system from the command line, because shutdown has been unceremoniously made useless without actually being removed.
-
@feoh yeah, "shutdown -r now" also stopped working in 26.04, because either you're a regular user without privileges to do so, or you're root *but your TTY under your real UID* is used as an excuse to prevent you.
Either way, you're left to use systemctl with weird arguments (like there's any other fucking way to use systemctl) to restart your system from the command line, because shutdown has been unceremoniously made useless without actually being removed.
@jimsalter Whoa. Now THAT is gonna break an awful lot of muscle memory!
-
@feoh yeah, "shutdown -r now" also stopped working in 26.04, because either you're a regular user without privileges to do so, or you're root *but your TTY under your real UID* is used as an excuse to prevent you.
Either way, you're left to use systemctl with weird arguments (like there's any other fucking way to use systemctl) to restart your system from the command line, because shutdown has been unceremoniously made useless without actually being removed.
@jimsalter @feoh systemctl reboot doesn't work either?
Man those Ubuntu people are really on a roll recently.
-
In short, I miss the unix philosophy. The Linux world seems to have almost entirely forgotten it. And all this LLM bollocks is the very literal and exact opposite!
-
@jimsalter @feoh systemctl reboot doesn't work either?
Man those Ubuntu people are really on a roll recently.
-
@jimsalter @rl_dane AND YOU KIDS GET OFF JIM'S LAWN!
I wonder if the problem is that we're aging out.
Maybe there aren't enough people actually still actively contributing to open source who remember the Bad Old Days when every vendor had a brain wave about every aspect of the system and Everything Was Terrible.
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter It disappears when you press <enter> so if you allowed someone to watch you typing, that seems a greater risk.
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter https://documentation.ubuntu.com/release-notes/26.04/changes-since-previous-interim/
sudo-rs
Password feedback is now enabled by default in order to improve the user experience of sudo. If the previous behavior is preferred...
"improving the user experience of sudo" is a lame reason for them to make pwfeedback default now. Yes, its an easy change to revert that, but still...
-
Both. I see younger folks who grew up on M$ and Hipple who now want to be "free" in an M$ or Hipple way. They never tried to see Unix for Unix. That's why "systemd" is from an M$ dev. My guess is other tools are too, like 'ip' in lieu of ifconfig/route/arp/etc. The KISS philosophy died because next gen devs didn't change their thinking.
-
I used Ubuntu for about 10 years.
But when they migrated to the snap package manager, I decided that they were no longer "reasonable".
I shopped for attractive alternatives, and for the last few years have been running Linux Mint Debian Edition (LMDE), which has been better overall. (Also: no asterisks in my TTY password entry.)
-
@jimsalter I get it, and I even get being grumbly about YET ANOTHER configuration tweak you need to make to have Ubuntu operate within your version of accepted norms, but at LEAST it's configurable and there's a clear and unambiguous way to set it back to prior behavior.
They could pull a systemd ... "All bets are off. Like it or lump it!"
@feoh @jimsalter with every new release, Canonical validates my decision to ditch Ubuntu... which, wow, was like 5 years ago or more already if you don't count Linux Mint as being Ubuntu (because they rip out a lot of the bad decisions). time flies.
I'm gonna switch to Linux Mint Debian Edition when I reinstall my laptop, then it really will be the end of an era. no Ubuntu or derivatives on any system I control.
-
@jimsalter @rl_dane @feoh after recent systemd debacles I've moved getting familiar with at least one BSD higher in my priority queue for this reason, although it would also be nice if Devuan deliberately develops in a direction consistent with the UNIX Philosophy
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter I mean... kudos for using a 20 character password...
-
R relay@relay.mycrowd.ca shared this topic
