sudo: 3 incorrect password attempts - can root see the password in clear text?
No, passwords are not logged by default. This would be a security problem, as logs may be read by other administrators, allowing impersonation of the user in case of a slightly mistyped password.
Login attempts successful and unsuccessful are logged in
/var/log/auth.log
Example of a successful attempt:
Oct 23 21:24:01 schijfwereld sudo: rinzwind : TTY=pts/0 ; PWD=/home/rinzwind ; USER=root ; COMMAND=/bin/bash
Oct 23 21:24:01 schijfwereld sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
And unsuccessful:
Oct 23 21:25:33 schijfwereld sudo: pam_unix(sudo:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/1 ruser=rinzwind rhost= user=rinzwind
Oct 23 21:26:02 schijfwereld sudo: rinzwind : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/rinzwind ; USER=root ; COMMAND=/bin/bash
It logs the failed attempt and logs also the total of 3 wrongly typed passwords.
Passwords for sudo
attempts are never shown or stored.
The usual practice is to not log passwords used in login attempts, even if the password in question was invalid. This is simply because the password might be valid for another user on the same system (e.g. the user mistyped their username, not the password), or might be a trivial alternation of the actual password (the user missed a letter or so).
Either of those cases would leave a plaintext password laying on the system, vulnerable to some information leak. (The password might also be a valid password for some other system than the one it was entered on, but that's really more of a problem for "them", not "us".)
Somewhat related to this is the cases where a user writes their password in place of their username (e.g. they usually use a system that enters the username automatically, but now didn't, but still typed the password as the first thing). In that case, you would have a plaintext password in the logs. This is not optimal, but seeing the usernames for the usual failed login attempts is useful, and there's no simple solution for storing them but not passwords entered as usernames.
That said, there's nothing to stop the administrator of the system from having the system log the passwords, too. Adding the logging could probably be done by adding one call to syslog()
and recompiling the PAM module. (PAM being what Ubuntu and sudo
use, but of course the same applies for web apps and everything else, too.)
So, no, usually an administrator can't see the passwords entered on the system, but if you enter your password on a system you don't trust, you should, strictly speaking, consider it lost and change it.