It is. Only the default changed. Also you can press tab if someone happens to be looking over your shoulder (and your password is so obvious they can guess it from the length).
You make it sound like there was a discussion where they looked at these two alternatives and chose improving sudo over using run0. Actually I just submitted a patch for this and they accepted it. I don't work for Ubuntu and I didn't even know run0 existed until now (it does sound good though; I hope they switch to that).
Yeah I would like to fix those too but sudo is the one I encounter most. Also the existence of sudo-rs meant there was less push-back. I seriously doubt the maintainers of openssh or passwd would accept this change.
I didn't actually know that Mint had enabled this by default. That would have been a useful counterpoint to the naysayers.
If you want the original behaviour you don't actually need to change the configuration - they added a patch afterwards so you can press tab and it will hide the password just for that time.
> The catalyst for Ubuntu’s change is sudo-rs
Actually it was me getting sufficiently pissed off at the 2 second delay for invalid passwords in sudo (actually PAM's fault). There's no reason for it (if you think there is look up unix_chkpwd). I tried to fix it but the PAM people have this strange idea that people like the delay. So I gave up on that and thought I may as well try fixing this other UX facepalm too. I doubt it would have happened with the original sudo (and they said as much) so it did require sudo-rs to exist.
I think this is one of the benefits of rewriting coreutils and so on in Rust - people are way more open to fixing long-standing issues. You don't get the whole "why are you overturning 46 years of tradition??" nonsense.
If you do, offer support for writing modules in a scripting language like Lua or Python. PAM could make it a lot easier to just add OAuth with your company IdP, for example…
> You don't get the whole "why are you overturning 46 years of tradition??" nonsense
Respectfully, we are the opposing sides of the barricades here. I was removing sudo-rs, uutils and some of the systemd-* packages from fresh Ubuntu installations until the amount of virtue signaling got really tiresome.
Currently almost no Ubuntu left in my production. Hopefully Debian will not package those.
The code you linked to isn't the code for a wrong password. It's a check to make sure you're using a TTY. That code isn't to prevent brute force. The delay there is 10 seconds.
It's really really not. By default PAM has a difficult-to-disable 2ish second minimum delay for all authentication methods. However this is completely pointless for local password authentication because PAM checks password using unix_chkpwd, which has no delay. The comment I linked to is explaining that unix_chkpwd has a silly security theatre delay if you try to run it in a tty, but that's trivial to avoid.
If you want to brute force local password authentication you can just run unix_chkpwd as fast as you like. You don't need to involve PAM at all, so its 2 seconds delay achieves nothing.
It maybe does more for remote connections but I'm not sure about that either - if you want to check 10k ssh passwords per second what stops you making 10k separate connections every second? I don't think the 2 second delay helps there at all.
> Change both the config files and you can remove the delay if you want.
This is extremely complicated. See the comments in the issue for details.
No, I'm right. You can't run unix_chkpwd against a local account without root because you won't be able to access /etc/shadow to get the hash. If you think you can, explain how. Otherwise you have to use the setuid version which won't let you run it directly.
And I just removed the delay using my method. Perhaps try checking something yourself?
> i.e. this doesn't require age verification at all, just a user profile age property
This is usually how they do it though. First make a dumb law with poor enforcement. People don't push back about it because it obviously won't be enforced. Wait a bit, then say "people are flagrantly violating this law, we need better enforcement". At that point it's a lot harder to say "it shouldn't be a law at all!" because nobody complained when it was brought into law.
Isn’t it more of a reflection of the current law? Age gates have long been self service (e.g., “enter your birthday”), and we have laws on the books for quite some time barring minors.
There is certainly a risk of what you’re describing with KYC tech that coming online, but I don’t know if that means it will happen.
To play devils advocate; It’s a reasonable demand from parents to control what their children are exposed to. This seems to support that.
Uh, your slippery slope argument ignores the part where websites, discord, british things, etc are literally already trying to require facial pictures, license scans, even videos of your body.
lol what? They've caught and successfully reflown the super heavy booster, and they've mostly successfully done a soft landing of Starship in the sea. How is that remotely "just talk"?
I'm being hyperbolic about the paper airplanes, but I stand by my original point.
It is simultaneously true that Starship's capabilities are on track, and are at this moment just talk. I would bet that Starship will deliver within 10% of claimed specs, before 2030. But none of those have currently been proven.
Even the style of writing screams "I'm doing something weird and I'm not going to explain it to you unless you are already a mega-fan". Reminds me of Wolfram's writing a bit. He's created a world that only he is in and then writes about it in detail as if everyone else is there too.
reply