The following is a demonstration of sshkeysnoop.d. When run on a server, it is able to capture the keystrokes read by an ssh client command - similar to a key logger. In one window, the following ssh session was executed: ssh -l fred mars fred@mars's password: Last login: Thu Jan 13 22:57:36 2005 from jupiter Sun Microsystems Inc. SunOS 5.9 Generic May 2002 fred@mars:> ls local.cshrc local.login local.profile fred@mars:> uname -a SunOS mars 5.9 Generic_112233-11 sun4u sparc SUNW,Ultra-5_10 fred@mars:> uptime 10:58pm up 282 day(s), 9:01, 4 users, load average: 0.05, 0.03, 0.02 fred@mars:> passwd passwd: Changing password for fred Enter existing login password: New Password: Re-enter new Password: passwd: password successfully changed for fred fred@mars:> exit Connection to mars closed. In another window, sshkeysnoop.d captured all the keystrokes: # ./sshkeysnoop.d UID PID PPID TYPE TEXT 100 9651 8600 cmd ssh -l fred mars 100 9651 8600 key f 100 9651 8600 key r 100 9651 8600 key e 100 9651 8600 key d 100 9651 8600 key 1 100 9651 8600 key 2 100 9651 8600 key 3 100 9651 8600 key 100 9651 8600 key l 100 9651 8600 key s 100 9651 8600 key 100 9651 8600 key u 100 9651 8600 key n 100 9651 8600 key a 100 9651 8600 key m 100 9651 8600 key e 100 9651 8600 key 100 9651 8600 key - 100 9651 8600 key a 100 9651 8600 key 100 9651 8600 key u 100 9651 8600 key p 100 9651 8600 key t 100 9651 8600 key i 100 9651 8600 key m 100 9651 8600 key e 100 9651 8600 key 100 9651 8600 key p 100 9651 8600 key a 100 9651 8600 key s 100 9651 8600 key s 100 9651 8600 key w 100 9651 8600 key d 100 9651 8600 key 100 9651 8600 key f 100 9651 8600 key r 100 9651 8600 key e 100 9651 8600 key d 100 9651 8600 key 1 100 9651 8600 key 2 100 9651 8600 key 3 100 9651 8600 key 100 9651 8600 key f 100 9651 8600 key r 100 9651 8600 key e 100 9651 8600 key d 100 9651 8600 key 4 100 9651 8600 key 5 100 9651 8600 key 6 100 9651 8600 key 100 9651 8600 key f 100 9651 8600 key r 100 9651 8600 key e 100 9651 8600 key d 100 9651 8600 key 4 100 9651 8600 key 5 100 9651 8600 key 6 100 9651 8600 key 100 9651 8600 key e 100 9651 8600 key x 100 9651 8600 key i 100 9651 8600 key t 100 9651 8600 key In the above we can see all keystrokes entered, including those that were not echo'd back to the screen (the passwd command. It's the same with "su").