Give special meaning to TAB in password prompt

[squell]

Describe the feature you'd like see implemented in sudo-rs
This sounds like a reasonably easily implementable suggestion by @coderonline: #1300 (comment)

There are two things that systemd-ask-password does:

• If the first press is a backspace, don't show the feedback.
• If the user presses tab at any time, stop the feedback (and clear any that was already there)

(It also stops showing feedback (but not remove existing feedback) if an invalid UTF8 sequence is entered, but I would consider that a bug in systemd-ask-password)

This issue proposed to add the backspace behaviour.

What problem can be solved with this feature?
Users can turn off pwfeedback on a case-by-case basis; i.e. a user might normally want the feedback but not in certain circumstances.

Describe alternatives you've considered
Users can also use SUDO_ASKPASS=/usr/bin/systemd-ask-password in combination with sudo -A.

Of course, on a more global basis, users can also use Defaults !pwfeedback; and if they do that out of security concern rather than personal preference, they should actually be considering moving to pam_pkcs11 or pam_fprint to get two-factor or biometric authentication.

Additional context
Of course, implementing the functionality feels like it's not too hard, but then it would be a "hidden feature"; I would say that printing a text documenting this feature (and what that text should be) is something TBD later. Note that the "initial backspace" feature is also not clearly documented in systemd-ask-password.

Also, only adding "initial backspace" is slightly safer since, who knows who might have an actual TAB character in their password? ;)

[squell]

One question here: if a user started typing a password, and starts backspacing beyond the beginning, should that also enable the 'no echo'? With systemd-ask-password it doesn't.

But maybe it should.

E.g. user starts typing, sees asterisks, doesn't want them, they can still backspace to disable the echo.

This could be confusing for users that would like to totally clear their password by holding down backspace. But honestly:

• the asterisks can show you how many times to hit backspace
• there's always line kill (^U) (although I realise knowledge about this might be spread thin)

edit Just giving a thumbs up or thumbs down on this particular comment doesn't really provide much clarity. :-)

[Timmmm]

One question here: if a user started typing a password, and starts backspacing beyond the beginning, should that also enable the 'no echo'?

Definitely not because it's quite common to realise you screwed up before finishing typing your password, and then hold down backspace to clear the input. It would be very surprising if that made typing appear not to work.

By the way, why even bother with the backspace thing if you always have tab as an option? I'd just do that.

Also I would make sure this feature prints a message when you activate it so it isn't surprising when you do it accidentally (unlikely, but there's a reason password fields tell you if caps lock is on). Something like:

Password echo disabled. Press TAB to enable.

[squell]

I'm coming around to the view that maybe a dedicated, explicit toggle rather than "initial backspace" would be better. Of course we could pick anything here (I find "tab" to be not necessarily the most obvious).

A little experimentation:

• Escape seems a possible choice (but like Tab can be part of password and might have other connotations; and it can easily be accidentally entered as part of escape sequences)
• Ctrl+V doesn't seem to conflict with anything (I can't enter it in passwords with passwd) and also has a Visibility mnemonic going on (downside: "Paste")
• Ctrl-X is maybe the most neutral choice?

[squell]

I've consulted with a security expert for a few design choices and only supporting TAB (without advertising it in the way systemd-ask-password does) was deemed a preferential option that strikes a balance between not sowing confusion and giving experts an escape hatch in case they want to hide the fact that their password is hunter2 😏 , so I've opened a PR for that.