Sorry I missed your previous email. I think you misunderstood. > Why can't sudo be used as a channel for password guessing?
It absolutely can. The point is the delay is security theatre. It's entirely optional - anyone that wants to use sudo as a password guessing channel can easily opt out of the delay. > finding a solution to fix this while allowing sudo to use common-auth is more trouble than it is worth. I agree, the configuration is awkward. I opened a patch on PAM to just change the default delay to 0.5s which is faaar less annoying and also doesn't affect brute forcing by any serious degree. They are ignoring it though. Can you reopen this bug and change the default delay in Debian?
