Authentication dialogs use plain text spoken password with screen-reader

Thanks for reporting this issue. Do any other policykit dialogs echo your password?

users-admin knows nothing about this authentication dialog, it's run by PolicyKit-gnome. So the bug must affect all dialogs.

You should report this to upstream if you really want it to be fixed.

The above is incorrect. If I use gksu nautilus, the password is spoken as asterisks, if I use sudo in a terminal, the password is asterisks, if I login, the password is asterisks. If I run update-manager, the password is asterisks. The only instance I have found that echoes the password in clear language is the Users and Groups.

None of the examples you cite are using PolicyKit actually. Try setting a system connection using NetworkManager config tool for example, or installing packages using updates-manager.

If I run update-manager, the password is asterisks. That is, updating using update-manager.

Weird. Both use PolicyKit. What if you run
export PID=`pidof gnome-settings-daemon`
pkcheck --action-id org.debian.apt.upgrade-packages --allow-user-interaction --process $PID
pkcheck --action-id org.freedesktop.systemtoolsbackends.set --allow-user-interaction --process $PID

Is there a difference between the two dialogs?

The password echoed as asterisk, the reponses are the same except the last character:

pkcheck --action-id org.debian.apt.upgrade-packages --allow-user-interaction --process $PID

response:
polkit/56temporary_authorization_id=tmpauthz0

pkcheck --action-id org.freedesktop.systemtoolsbackends.set --allow-user-interaction --process $PID

response:
polkit/56temporary_authorization_id=tmpauthz1

Both require authentication, both echo the password as asterisk.

And you can swear me the dialog from users-admin is not behaving the same as others?! The only thing users-admin does is asking the backends (so it doesn't even do it by itself) to ask PolicyKit1 to authenticate by whatever means are adequate. So this amounts to "pkcheck --action-id org.freedesktop.systemtoolsbackends.set".

Could you run 'xprop' for each authentication dialog and check that WM_CLASS and _NET_WM_PID are the same for all of them?

You have to explain how to do this now. I can tell you the people in the room repeated my password back to me when authenticating Users and Groups. The rest of the passwords were "asterisk asterisk asterisk" and that got repeated too.

Explain what exactly? xprop is easy, just run 'xprop' and click on the offending dialog to get the results on the console.

I do not see any difference between the two dialogs. I ran both Users and Groups authentication and Update-manager authentication. Results of xprop for both windows are:

WM_CLASS(STRING) = "polkit-gnome-authentication-agent-1", "Polkit-gnome-authentication-agent-1"

_NET_WM_PID(CARDINAL) = 1289

I am attaching both results as separate files.

So these dialogs are indeed the same, from the same process, which is what I expected. I really can't tell why Orca would treat them differently... One would need to know how this works, and what may happen in polkit-gnome-authentication-agent-1 that would change Orca's behavior. But I can't help in that regard! I think you should find an a11y developer on IRC and ask him.

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.