Is it possible to get someone’s password in plaintext over ssh? Yes! Surely, this makes no sense when the purpose of ssh is to prevent such a thing. Well, I’m speaking of monitoring the session directly from the server the user is connecting to and not across the network.

Although traffic across the network is encrypted, on the server side, sshd will fork off a child process where the password is readable during the decryption. This is a known functionality of sshd and can been viewed by running strace against the process.

First, let us find the exact sshd pid. You may try to get the oldest pid by using “pgrep -o sshd” but I have seen instances of a maintained older sub-process being reported after an sshd restart. So, instead we go with, 

Read more : https://networklogician.com/2021/04/17/sniffing-ssh-passwords/ 

*Beware click the link!