Installed Ubuntu 26.04 for the first time.
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter This was something that caught me out when I first installed a very early Red Hat from the free CD given away with the PC Plus magazine. That's way longer ago than I'd like to admit!
-
@jimsalter This was something that caught me out when I first installed a very early Red Hat from the free CD given away with the PC Plus magazine. That's way longer ago than I'd like to admit!
@ndonegan it was a mild surprise to me the first time I encountered it, but I just hit enter where I was (a few characters in), got the expected "that wasn't it" response, then typed in the whole thing, hit enter, and acknowledged old Robert as brother to a parent.
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter Definitely a major whoopsie.
I mean, it's possible that they made this choice in the name of user friendliness and would stand behind that.
I'll bet you could put a bee in the bonnet of responsible folks at Canonical. Might be worth at least hearing their reasoning on this.
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter
Then again, dont pros actually use debian server?
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter noticed this too in the dev channel. Asked co-worker what was differrent, he pointed out exactly the same.
But, ya know, it's way more securest 'cuz it's now built in Rust!!!
-
@jimsalter noticed this too in the dev channel. Asked co-worker what was differrent, he pointed out exactly the same.
But, ya know, it's way more securest 'cuz it's now built in Rust!!!
@brnrd @jimsalter theres no reason to make it sound like rewriting an app on rust is not inherently now secure.
As far as i understood the interview i read showing asterisks as you type in the password was a conscious decision in and of itself.
-
@jimsalter Definitely a major whoopsie.
I mean, it's possible that they made this choice in the name of user friendliness and would stand behind that.
I'll bet you could put a bee in the bonnet of responsible folks at Canonical. Might be worth at least hearing their reasoning on this.
I used Ubuntu for about 10 years.
But when they migrated to the snap package manager, I decided that they were no longer "reasonable".
I shopped for attractive alternatives, and for the last few years have been running Linux Mint Debian Edition (LMDE), which has been better overall. (Also: no asterisks in my TTY password entry.)
-
@jimsalter Definitely a major whoopsie.
I mean, it's possible that they made this choice in the name of user friendliness and would stand behind that.
I'll bet you could put a bee in the bonnet of responsible folks at Canonical. Might be worth at least hearing their reasoning on this.
@feoh @jimsalter it is a design decision made by sudo-rs for UX reasons, yeah https://github.com/trifectatechfoundation/sudo-rs/issues/1300
-
@feoh @jimsalter it is a design decision made by sudo-rs for UX reasons, yeah https://github.com/trifectatechfoundation/sudo-rs/issues/1300
@aburka @jimsalter Thanks for that.
Seems like you can disable this by setting 'pwfeedback' in your sudoers.
Interesting discussion on that issue.
-
I used Ubuntu for about 10 years.
But when they migrated to the snap package manager, I decided that they were no longer "reasonable".
I shopped for attractive alternatives, and for the last few years have been running Linux Mint Debian Edition (LMDE), which has been better overall. (Also: no asterisks in my TTY password entry.)
@johnlogic @jimsalter Glad you found something that works for you.
-
@johnlogic @jimsalter Glad you found something that works for you.
@feoh by the way, atari800 BASIC works pretty well on LMDE; I still enjoy playing with it.
-
Installed Ubuntu 26.04 for the first time.
Logged into a TTY.
me@box:~$ sudo-s
Password: ********************EXCUSE ME--ASTERISKS? WTF?
Look, obviously I appreciate that seeing the character count as you type makes it easier. But this is supposed to be suitable for high security environments. And making it easy to see the character count is a significant entropy leak.
This should not be the default configuration, particularly in Ubuntu *server* (which is what I installed). DISAPPROVE.
@jimsalter Maybe I'm wrong but not exposing password length seems like security theater to me. If someone types a strong 20 character random password or a 7-8 word diceware password, it won't really matter if the length is exposed. If someone types a weak 4 character password or uses something easily guessable, they're in trouble.
Besides, if someone is close enough to discern the password length by looking at those asterisks, they might be close enough to see or hear someone type and discern the length even if there are no visible asterisks.
-
@feoh by the way, atari800 BASIC works pretty well on LMDE; I still enjoy playing with it.
@johnlogic atari800 works great everywhere
That's one of its virtues.You might also consider looking at Fujisan - https://github.com/pedgarcia/fujisan/ if you want to add networking to your emulated #atari8bit enjoyment!
-
@jimsalter Maybe I'm wrong but not exposing password length seems like security theater to me. If someone types a strong 20 character random password or a 7-8 word diceware password, it won't really matter if the length is exposed. If someone types a weak 4 character password or uses something easily guessable, they're in trouble.
Besides, if someone is close enough to discern the password length by looking at those asterisks, they might be close enough to see or hear someone type and discern the length even if there are no visible asterisks.
@ayushnix there's a significant difference between the entropy of a "roughly eight to twelve, I think?" character line noise secret, and a "precisely eleven character" line noise secret. The length also gives you a very strong clue whether you are looking at characters or words as tokens in the secret, more lost entropy.
Don't get me wrong, this isn't the end of the world. But I don't *like* it. IMO this is a dumbing-down, and not a good one.
-
@jimsalter Definitely a major whoopsie.
I mean, it's possible that they made this choice in the name of user friendliness and would stand behind that.
I'll bet you could put a bee in the bonnet of responsible folks at Canonical. Might be worth at least hearing their reasoning on this.
@feoh pretty sure it boils down to "rust rewrites are the new hotness so we dropped sudo-rs in where sudo used to be."
In fairness to sudo-rs, that project is in part trying to simplify things from classic sudo, which is rather crufty with decades of often inadvisable feature creep.
I'm cool with getting on board THAT part of the train but I'm not happy about the asterisks.
-
@feoh pretty sure it boils down to "rust rewrites are the new hotness so we dropped sudo-rs in where sudo used to be."
In fairness to sudo-rs, that project is in part trying to simplify things from classic sudo, which is rather crufty with decades of often inadvisable feature creep.
I'm cool with getting on board THAT part of the train but I'm not happy about the asterisks.
@jimsalter I get it, and I even get being grumbly about YET ANOTHER configuration tweak you need to make to have Ubuntu operate within your version of accepted norms, but at LEAST it's configurable and there's a clear and unambiguous way to set it back to prior behavior.
They could pull a systemd ... "All bets are off. Like it or lump it!"
-
@jimsalter I get it, and I even get being grumbly about YET ANOTHER configuration tweak you need to make to have Ubuntu operate within your version of accepted norms, but at LEAST it's configurable and there's a clear and unambiguous way to set it back to prior behavior.
They could pull a systemd ... "All bets are off. Like it or lump it!"
@feoh yeah, "shutdown -r now" also stopped working in 26.04, because either you're a regular user without privileges to do so, or you're root *but your TTY under your real UID* is used as an excuse to prevent you.
Either way, you're left to use systemctl with weird arguments (like there's any other fucking way to use systemctl) to restart your system from the command line, because shutdown has been unceremoniously made useless without actually being removed.
-
@feoh yeah, "shutdown -r now" also stopped working in 26.04, because either you're a regular user without privileges to do so, or you're root *but your TTY under your real UID* is used as an excuse to prevent you.
Either way, you're left to use systemctl with weird arguments (like there's any other fucking way to use systemctl) to restart your system from the command line, because shutdown has been unceremoniously made useless without actually being removed.
@jimsalter Whoa. Now THAT is gonna break an awful lot of muscle memory!
-
@feoh yeah, "shutdown -r now" also stopped working in 26.04, because either you're a regular user without privileges to do so, or you're root *but your TTY under your real UID* is used as an excuse to prevent you.
Either way, you're left to use systemctl with weird arguments (like there's any other fucking way to use systemctl) to restart your system from the command line, because shutdown has been unceremoniously made useless without actually being removed.
@jimsalter @feoh systemctl reboot doesn't work either?
Man those Ubuntu people are really on a roll recently.
-
In short, I miss the unix philosophy. The Linux world seems to have almost entirely forgotten it. And all this LLM bollocks is the very literal and exact opposite!
