Seeking Feedback: SSH-based sudo Password Helper for Claude Code

Resolved 💬 5 comments Opened May 17, 2025 by GlassOnTin Closed Jan 5, 2026

Seeking Feedback: SSH-based sudo Password Helper for Claude Code

Context

While using Claude Code, I needed a way to handle sudo passwords without storing them in plain text. I developed (with Claude Code's help) an askpass helper that uses SSH key encryption. I'm sharing this for discussion and feedback from the community.

The Problem

When automating tasks with Claude Code that require sudo:

  • Plain text passwords are obviously insecure
  • Environment variables are visible to other processes
  • Manual entry defeats automation

My Approach: secure-askpass

Repository: https://github.com/GlassOnTin/secure-askpass

I created a solution that:

  • Encrypts sudo passwords using SSH private keys
  • Shows GUI dialogs for command confirmation
  • Implements basic access controls (process/path whitelisting)
  • Logs access attempts via syslog

Usage

export SUDO_ASKPASS=/path/to/askpass
sudo -A command  # Shows dialog, then executes

Known Limitations & Security Considerations

  • Relies on SSH key security (if key is compromised, so is the password)
  • GUI dialogs could potentially be spoofed
  • Process verification only checks immediate parent
  • Uses predictable temp file location in one code path
  • Limited to environments with SSH keys

Questions for Discussion

  1. What are the main security weaknesses in this approach?
  2. Are there better patterns for handling sudo in automation tools?
  3. Would this be worth mentioning in docs as one possible approach (with appropriate caveats)?
  4. What additional security measures would make this more robust?

Why Share This?

This project showcases Claude Code's ability to help develop practical tools, even if they're not perfect. I'm interested in community feedback to understand:

  • Whether this approach has merit
  • What security improvements would be essential
  • If there's interest in this type of solution

Looking forward to constructive criticism and suggestions for improvement!

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗