I was not speaking about the network transfer between client and server. I thought this was obvious. I was speaking about the possibility to locally, on the SSHD system itself, to sniff password entries when running "su". Alexander
Than that wouldn't be 'sniffing' would it?
Sniffing pertains to the network.. a 'su' doesn't use any network sockets.
You are talking about tracing their processes.. and a normal user can't do that to another user.
An already logged in user ALSO can't do it, because you can't trace SUID binaries..
try it 'strace su'.
You could trojan the su, by putting a 'su' in the path before the system su, and taking their password, recording it, and then passing it to the system 'su'.. but you'd still need to be that user (or root of course, but if you're root.. why would you care?)
Lastly, you might be able to record it via injected modules using LD_PRELOAD.. But i've never researched this method in depth.. You can easily use LD_PRELOAD though to bypass restricted shells. (Nothing to do with this).
