Claude Code and Cursor on Linux can't handle interactive terminal prompts. Ask it to run sudo apt install something and you get a sudo: Authentication failed, try again error. I want to be have the ability to review and permit sudo commands on a case-by-case basis, just like any other command.

Workarounds exist, each with downsides. Anthropic's official recommendation for sudo is to configure /etc/sudoers and .claude/settings.json to whitelist specific commands, but this doesn't meet my criteria of reviewing any arbitrary sudo command on a case-by-case approval. And passwordless sudo is way too permissive for comfort. Copy pasting commands myself manually and copy-pasting the outputs back is way too tedious.

I found a workaround on the Claude Code issue tracker to achieve exactly what I wanted.

The solution

Linux sudo has a built-in mechanism for non-interactive password entry via the SUDO_ASKPASS environment variable. Point it at a program that can provide your password, and sudo -A will use it instead of prompting the terminal.

crypdick/secure-askpass (my fork of GlassOnTin/secure-askpass with bug fixes) implements this by encrypting your sudo password with your SSH key and showing a GUI confirmation dialog for each sudo command. Use my fork -- the upstream has bugs that cause silent failures.

I use this on my workstation with encrypted disks and a password-protected SSH key. The sudo password has the same security as my SSH key. Reasonable trade-off for a personal machine, but not for prod servers or shared systems. Won't work over SSH (requires GUI).

Setup

1. Enable traditional sudo

You need traditional sudo (not sudo-rs):

sudo --version
# Should show "Sudo version 1.x.x", not "sudo-rs"

If you have sudo-rs, switch: sudo update-alternatives --config sudo and select /usr/bin/sudo.ws.

2. Install dependencies

For ed25519 SSH keys, install age:

sudo apt install age

3. Install secure-askpass

git clone https://github.com/crypdick/secure-askpass.git ~/.local/share/secure-askpass
cd ~/.local/share/secure-askpass
chmod +x askpass askpass-manager

4. Store your password

~/.local/share/secure-askpass/askpass-manager set

5. Configure your shell

Add to ~/.zshrc or ~/.bashrc:

export SUDO_ASKPASS="$HOME/.local/share/secure-askpass/askpass"

Then source ~/.zshrc.

Usage

Use sudo -A instead of sudo:

sudo -A systemctl start tailscaled
sudo -A tailscale up --accept-routes

Don't use sudo -n -- it disables all prompting, including the GUI dialog. Always use sudo -A.