Bugzilla – Bug 286
Give some visible feedback when typing the password
Last modified: 2009-02-09 12:52:33 MST
Quote from original Ubuntu bug: "I'm reading a lot of forum postings and every other day someone with little experience in linux and shell commands asks the question "I'm trying to execute sudo $command, but when i try to enter my password nothing happens, i can't see what i'm typing and i also don't see asteriks like ***, so is my keyboard dead?". Our UI usability guru suggested to fix this by getting sudo to show asterisks as you type your password. This would be similar to what PolicyKit, gksu, etc. already do. Of course this would give away the length of the password. Personally I think this is not a big problem, as long as it would not remain on the screen permanently (i. e. the asterisks should be removed again when pressing Enter). If someone is watching over your shoulder, he can as well get the length of your password by just counting keyboard clicks. :-) If this is an issue, though, then the length could be obfuscated by printing out a random (1 to 3) number of asterisks, or by displaying a throbber animation like | / - \ or similar. What do you think about this? I would like to avoid patching this only in Ubuntu, it should be consistent in all distro packages. Thanks in advance!
sudo reads the password the same way most other traditional unix programs do. I don't see a reason to change that. Starting in sudo 1.7 there is a facility for using a helper program to read the password. The intent is to make it easy to use graphical password prompters but a text-based one could be used just as easily.
I've since received messages from several people confused by the lack of keyboard feedback during the password prompt so I'm going to relent and add support for printing * during keypresses in sudo 1.7.1 (the change is present in the sudo cvs now). It will not be the default behavior but vendors may enable it in the default sudoers file they ship.
Thank you!