encrypt authentication credentials with payload in the clear?

[Loomis, Rip]

> I can't help but feel like if you want to watch the traffic 
> of people's ssh session then you are already hacked.

In some realms, particularly financial institutions, there's
a requirement that all network traffic in/out of corporate
"desktop type" networks must be collected -- so that the
institution can prove what it knew when. Think "insider trading"
as well as proprietary data.

However, most of those organizations don't use SSH in or outbound.
In my experience the folks with those sorts of requirements who
outsource some of their server/network operations or monitoring
provide a separate dedicated network connection for the
outsourcing folks, or use a "basin" as Ben already mentioned
(although I've heard it called other things).

If SSH did support a mode where authentication information was
encrypted but terminal sessions were not, it would satisfy a
real world requirement IMHO.  What's not clear, though, is whether
that requirement is worth satisfying in the "stock" portable
OpenSSH.

> I feel like sending traffic cleartext is just a bad idea accross the 
> board. What if someone su's or logs into other systems or exposes 
> database account credentials to something containing personal info 
> and/or credit card numbers from those cleartext ssh sessions?!?

That's a valid concern--as I said, though, the places that want
this sort of functionality generally have a good reason (either
legal, or based on a full-up risk and threat assessment) why they
want to collect it.  It might seem strange, but it does happen.

--
Rip Loomis
Senior Systems Security Engineer, SAIC Enterprise Security Solutions
Brainbench MVP for Internet Security   |   http://www.brainbench.com