I was not speaking about the network transfer between client and server. I thought this was obvious. I was speaking about the possibility to locally, on the SSHD system itself, to sniff password entries when running "su".
Ok, I'll go ahead and risk embarrassment in the name of enlightenment and ask: If the traffic between client and server is encrypted, even with access to the sshd system, how does one "sniff" traffic sent between two local processes (sshd and su) without a keylogger, which wouldn't apply since the keyboard in question is on the client-side?
Is there some technique for eavesdropping on inter-process communications that I don't know about, then, or did I just misunderstand you?
--Brad