Instead of patching HAM to call another program, or replacing sudo, I think it's better if we just install a more proper sudo that has askpass support, then have something in the desktop initialization set the SUDO_ASKPASS environment variable. Admittedly, I think the invokers may need to invoke sudo with the '-A' flag: I'm not sure if sudo has pty detection built-in to know when to assume it needs to run an askpass program, which would allow it to do so without being called with the -A flag. But if the '-A' flag is required, then patching of HAM, etc, would be required too.

Incidentally, the latest GCC 4.6 and dependencies in the maemo repos + CSSU-Testing (which recently updated libc6 a little) lets us build a perfectly working sudo from the latest stable branch with askpass support, and we have at least one working askpass implementation ssh-askpass in the repos (though a properly hildon-ized askpass UI would be much nicer). (I also have a shell-script based askpass that pops open a terminal to get the password, but that one uses a named pipe to move the password between the launching script and the one running in the launched terminal, and I'm not confident it's secure enough (or ever could be, given the limitations of that approach).)