Claude Code and Cursor on Linux can't handle interactive terminal prompts. Ask it to run sudo apt install something and you get a sudo: Authentication failed, try again error. I want to be have the ability to review and permit sudo commands on a case-by-case basis, just like any other command.

Workarounds exist, each with downsides. Anthropic's official recommendation for sudo is to configure /etc/sudoers and .claude/settings.json to whitelist specific commands, but this doesn't meet my criteria of reviewing any arbitrary sudo command on a case-by-case approval. And passwordless sudo is way too permissive for comfort. Copy pasting commands myself manually and copy-pasting the outputs back is way too tedious.

I found a workaround on the Claude Code issue tracker to achieve exactly what I wanted.

The solution

Linux sudo has a built-in mechanism for non-interactive password entry via the SUDO_ASKPASS environment variable. Point it at a program that can provide your password, and sudo -A will use it instead of prompting the terminal.

GlassOnTin/secure-askpass implements this by:

• Encrypting your sudo password with your SSH private key
• Showing a GUI dialog for each sudo command
• Decrypting the password on-the-fly when approved

Some security considerations: I use this setup on my workstation, which has encrypted disks and password-protected SSH key. The password isn't stored in plaintext, which is nice (the sudo password has the same level of security as my SSH key's security). For my threat model, this is a reasonable trade-off, but I wouldn't recommend it on a prod server or shared system. This setup also wouldn't work over SSH, given the GUI dialog.

Setup

1. Enable traditional sudo

You need traditional sudo (not sudo-rs):

sudo --version
# Should show "Sudo version 1.x.x", not "sudo-rs"
readlink -f "$(command -v sudo)"

If you have sudo-rs selected, switch to traditional sudo:

sudo update-alternatives --config sudo
# Select /usr/bin/sudo.ws

2. Install dependencies

If you are using an ed25519 SSH keys, you need the age encryption tool:

sudo apt install age

3. Install secure-askpass

git clone https://github.com/GlassOnTin/secure-askpass.git ~/.local/share/secure-askpass
cd ~/.local/share/secure-askpass
chmod +x askpass askpass-manager

4. Store Your Password

This shows a GUI dialog to enter your sudo password:

~/.local/share/secure-askpass/askpass-manager set

Your password is encrypted to ~/.sudo_askpass.age (for ed25519 keys) or ~/.sudo_askpass.ssh (for RSA/ECDSA/DSA keys).

Quick checks:

~/.local/share/secure-askpass/askpass-manager get   # should say "Password found ..."
~/.local/share/secure-askpass/askpass-manager       # prints usage (it doesn't support --help)

5. Configure Your Shell

Add to ~/.zshrc or ~/.bashrc:

export SUDO_ASKPASS="$HOME/.local/share/secure-askpass/askpass"

Reload your shell or run source ~/.zshrc.

Usage

Claude Code / Cursor / you can now use sudo -A for any command :

Example:

sudo -A systemctl start tailscaled
sudo -A tailscale up --accept-routes

Important gotcha: sudo -n ... will never show a GUI prompt (it explicitly disallows prompting). Use sudo -A ... to force askpass.