Most applications normally display a feedback using asterisks (*******) when a user is typing a password, but on the Linux terminal, when a normal user runs the sudo command to gain super user privileges, he/she is asked for a password, but no visual feedback is seen by the user while typing the password.
In this article, we will show how to display asterisks as feedback when you type passwords in the terminal in Linux.
Take a look at the following screen shot, here the user tecmint has invoked the sudo command to install the vim text editor in CentOS 7, but there is no visual feedback as the password is typed (in this case the password has already been entered):
$ sudo yum install vim
You can enable the password feedback feature in /etc/sudoers file, but first create a backup of the file, then open it for editing using the visudo command.
$ sudo cp /etc/sudoers /etc/sudoers.bak $ sudo visudo
Search for the following line.
Defaults env_reset
And append pwfeedback to it, so that it looks like this.
Defaults env_reset,pwfeedback
Now press Esc key and type :wq to save and close the file. But if you are using nano editor, save the file by hitting “Ctrl+x” and then “y” followed by “ENTER” to close it.
Then run the command below to reset your terminal for the above changes to start working.
$ reset
That’s it, now you should be able to see a visual feedback (****) every time when you typing a password on the terminal, as shown in the following screen shot.
$ sudo yum update
You might also like to read these following related articles.
- 10 Useful Sudoers Configurations for Setting ‘sudo’ in Linux
- How to Run ‘sudo’ Command Without Entering a Password in Linux
- Let Sudo Insult You When You Enter Incorrect Password
- How to Run Shell Scripts with Sudo Command in Linux
If you have any Linux terminal tips or tricks to share with us, use the comment section below.
Some people say that having an indicator when typing the password is a risk, perhaps they’re right, but having no indication at all can also be a risk. Scenario: you’re typing in your password and getting no feedback as expected, you press enter and … nothing happens. Surprise! It turns out another input field on another screen had to focus, and your password is now plaintext in your favorite discord channel. Which is the bigger risk?
@Anonymous
The biggest risk is having an indicator when typing the password, I suppose.
While the asterisk thing is sometimes justified, for the most part it is just a nuisance. What is needed is the capability to optionally disable it.
@WQQ
It is actually disabled by default. So, here, we are only showing how to enable it.
Looked this up for a bit to see how it worked, turns out you’re discouraged to use env_reset. This is why when I looked into my sudoers file everything was achieved instead via
env_keep += "".You can just choose to put Default pwfeedback as its own line probably pretty much anywhere in the sudoers file.
The point was to do it WITHOUT modifying sudoers!
Many places (large places) have very tight control on the sudoers, and rightly so.
Modifying it for your personal gain is not allowed.
Also if you have 700+ systems each with their own sudoers setup, you don’t want to be changing it. I distribute my home and it then works on all the systems.
My technique using the SUDO_ASKPASS hook (with sudo -A option) does not require changes to the system level configuration, it works at a personal level! I also do things to allow me to setup some environment root shell via sudo (for things like X windows).
Again more personal things you don’t really want set globally.
It is possible to get sudo to display stars for password entry WITHOUT modifying the sudo configuration! You first need a program that can read a password while displaying stars…
For example under most Linux computers you can use systemd-ask-password, next add it to an environment variable:
Now you can use that password input program.
OR do it all in the one command (or shell alias)…
Instead of systemd-ask-password you can also DIY a program to do the same such as described here, and the final resulting shell script here.
This script will fall back to using systemd-ask-password, if available while also fixing some annoyances with that command to do with TTY settings when interrupted.
@anthony
You will have to modify sudo configuration as shown, to the best of our knowledge. Once we find a way to “get sudo to display stars for password entry WITHOUT modifying the sudo configuration”, we will let you know. Thanks for the feedback.
No configuration changes needed! The echo stars is handled by the external password reader, then passed to sudo.
I use this technique all the time on Solaris as well as Redhat v5 thru v7.
Good job guys. Added this and “Insults” to sudo while I was at it. :)
Also, Aaron’s comments regarding the potential security risk are spot on. Not everyone believes there’s a cache of password thieves lurking over their shoulders. Virtually every cell phone app and webpage has key-for-key asterisks as feedback when typing your password. This just adds uniformity to the shell. Besides. it’s Linux – you can configure your Linux any way you like,
@Stuart
Thanks for appreciating our work and for the kind words of encouragement.
It might be a good idea for you to mention WHY sudo doesn’t do this. Showing asterisks is a security risk, it allows someone (over the shoulder, or screenshot, etc) to know the number of characters you entered, which allows you to reduce the number of brute force attempts.
oh, and more commonly sudo-ing in tmux/screen in a shared session.
@Caleb
I suppose you are sharing the same concern as @RTR, in case you are operating computers in security critical environments then you can leave this feature turned off, especially where there are strict security policies in place against such practices. But i believe it is useful on personal computers or home work stations.
Yes there are reasons for not showing asterisks. And there are also ways to still get keypress feedback without showing how may characters you typed. It all depends on how you set up your “askpass” program.
I listed some ideas for this in my study text file passwd_input.txt.
And look for “WARNING about using echoed stars…”
Here are some ideas…
* Output a random number of stars with each character input.
But you may need to keep track of the number for ‘deletes‘.
* Show a ascii-art animation (a random muber of steps) for each key…
+ Cycle a spinning line,
\ | / -or pulsing star. + * + .+ or a short bar with a star bounce back and forth
This does not need to keep track for deletions as you just continue the
animation when you get a delete or reset line signal.
* Allow the use to turn on no-echo by pressing delete at the start
“systemd-ask-password” actually does this, printing “(no echo)”.
What for? To make sure that nobody is going to be able to look over your shoulder and lift your password? There are far simpler ways of thwarting this particular attack vector. This is an idea that looked virtuous originally, that was never that great, that probably creates more issues than it solves, and that should be ditched, once and for all.
@RTR
Good concern, but i believe as long as the password is not seen, there should really be some kind of visual feedback for a user to know the length of a password they have typed, particularly for long passwords.
However, if you are working in security critical environments then you can disable this feature, especially where there are strict security policies in place against such practices.
it works on my mac too. thanks
@reza
Welcome, thanks for the feedback.
Use nano much? “Ctrl+x” and “Ctrl + y” does not save a file with nano. “Ctrl+x” then “y” followed by “ENTER” does.
@Stuart
Thanks for the heads up, we will correct it in the article.
@Stuart,
You correct, it should be
yto save and Enter to close the file, corrected in the writeup as suggested.