How to Show Asterisks While Typing Sudo Password in Linux

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Aaron Kili

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

18 Responses

  1. Alfonso Lopez says:

    Looked this up for a bit to see how it worked, turns out you’re discouraged to use env_reset. This is why when I looked into my sudoers file everything was achieved instead via env_keep += "".

    You can just choose to put Default pwfeedback as its own line probably pretty much anywhere in the sudoers file.

    • Anthony Thyssen says:

      The point was to do it WITHOUT modifying sudoers!

      Many places (large places) have very tight control on the sudoers, and rightly so.
      Modifying it for your personal gain is not allowed.

      Also if you have 700+ systems each with their own sudoers setup, you don’t want to be changing it. I distribute my home and it then works on all the systems.

      My technique using the SUDO_ASKPASS hook (with sudo -A option) does not require changes to the system level configuration, it works at a personal level! I also do things to allow me to setup some environment root shell via sudo (for things like X windows).

      Again more personal things you don’t really want set globally.

  2. anthony says:

    It is possible to get sudo to display stars for password entry WITHOUT modifying the sudo configuration! You first need a program that can read a password while displaying stars…

    For example under most Linux computers you can use systemd-ask-password, next add it to an environment variable:

    # SUDO_ASKPASS=/usr/bin/systemd-ask-password
    

    Now you can use that password input program.

    $ sudo -A command_to_run
    

    OR do it all in the one command (or shell alias)…

    # SUDO_ASKPASS=/usr/bin/systemd-ask-password sudo -A  command_to_run
    

    Instead of systemd-ask-password you can also DIY a program to do the same such as described here, and the final resulting shell script here.

    This script will fall back to using systemd-ask-password, if available while also fixing some annoyances with that command to do with TTY settings when interrupted.

    • Aaron Kili says:

      @anthony

      You will have to modify sudo configuration as shown, to the best of our knowledge. Once we find a way to “get sudo to display stars for password entry WITHOUT modifying the sudo configuration”, we will let you know. Thanks for the feedback.

      • Anthony Thyssen says:

        No configuration changes needed! The echo stars is handled by the external password reader, then passed to sudo.
        I use this technique all the time on Solaris as well as Redhat v5 thru v7.

  3. Stuart Smith says:

    Good job guys. Added this and “Insults” to sudo while I was at it. :)

    Also, Aaron’s comments regarding the potential security risk are spot on. Not everyone believes there’s a cache of password thieves lurking over their shoulders. Virtually every cell phone app and webpage has key-for-key asterisks as feedback when typing your password. This just adds uniformity to the shell. Besides. it’s Linux – you can configure your Linux any way you like,

  4. Caleb Cushing says:

    It might be a good idea for you to mention WHY sudo doesn’t do this. Showing asterisks is a security risk, it allows someone (over the shoulder, or screenshot, etc) to know the number of characters you entered, which allows you to reduce the number of brute force attempts.

    • Caleb Cushing says:

      oh, and more commonly sudo-ing in tmux/screen in a shared session.

    • Aaron Kili says:

      @Caleb

      I suppose you are sharing the same concern as @RTR, in case you are operating computers in security critical environments then you can leave this feature turned off, especially where there are strict security policies in place against such practices. But i believe it is useful on personal computers or home work stations.

    • Anthony Thyssen says:

      Yes there are reasons for not showing asterisks. And there are also ways to still get keypress feedback without showing how may characters you typed. It all depends on how you set up your “askpass” program.

      I listed some ideas for this in my study text file passwd_input.txt.

      And look for “WARNING about using echoed stars…

      Here are some ideas…

      * Output a random number of stars with each character input.
      But you may need to keep track of the number for ‘deletes‘.

      * Show a ascii-art animation (a random muber of steps) for each key…
      + Cycle a spinning line, \ | / - or pulsing star . + * + .
      + or a short bar with a star bounce back and forth
      This does not need to keep track for deletions as you just continue the
      animation when you get a delete or reset line signal.

      * Allow the use to turn on no-echo by pressing delete at the start
      systemd-ask-password” actually does this, printing “(no echo)”.

  5. RTR says:

    What for? To make sure that nobody is going to be able to look over your shoulder and lift your password? There are far simpler ways of thwarting this particular attack vector. This is an idea that looked virtuous originally, that was never that great, that probably creates more issues than it solves, and that should be ditched, once and for all.

    • Aaron Kili says:

      @RTR

      Good concern, but i believe as long as the password is not seen, there should really be some kind of visual feedback for a user to know the length of a password they have typed, particularly for long passwords.

      However, if you are working in security critical environments then you can disable this feature, especially where there are strict security policies in place against such practices.

  6. reza says:

    it works on my mac too. thanks

  7. Stuart Smith says:

    Use nano much? “Ctrl+x” and “Ctrl + y” does not save a file with nano. “Ctrl+x” then “y” followed by “ENTER” does.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.