Some PAM modules allow authentication using passwords or passphrases that
are displayed as they are entered; prime examples are the S/Key and OPIE
authentication modules.  Sudo's PAM convesation function sets a global flag
for leaving echo on, and then never resets it, so after a PAM module requests
a password with echo on, and for some reason the authentication fails or is
insufficient, all subsequent passwords and passphrases will be echoed back,
which is undesirable in cases like pam_unix, pam_krb5, or actually almost all
other PAM modules.

This can be easily demonstrated using a PAM configuration similar to
the following:

[roam@straylight:p2 ~]$ fgrep sudo /etc/pam.conf
sudo    auth    sufficient      pam_opie.so                     no_fake_prompts
sudo    auth    sufficient      pam_krb5.so
sudo    auth    required        pam_unix.so                     try_first_pass
[roam@straylight:p2 ~]$

At a sudo attempt, the OPIE module will ask for a password.  Pressing Enter
at this point leads to a new OPIE password prompt with echo turned on.
Entering an invalid OPIE passphrase will fall through to the Kerberos and
possibly the Unix authentication, but echoing will still be on, so the Kerberos
and/or Unix passwords will be visible to any bystanders.

A trivial patch at http://people.FreeBSD.org/~roam/auth_pam.c.patch attempts
to address this problem in a somewhat simplistic way - turning off the global
flag after each prompt.  A "real" solution might require reworking the switch
statement a few lines above that.