Brendan Gregg has a sample dtrace script to show how the dtrace can be used to steal ssh password or passphrase easily, so people should be careful if someone is running a dtrace script on your system. For same reason I want to know whether the systemtap would also allow malicious person to easily steal ssh password, if so, is there a sample SystemTap program which shows that capability? Just need that to confirm whether we should prohibit user to use the tool on production box under normal situation.

Normally, systemtap is an administrative tool that gives the sysadmin (root)
full power to observe and affect kernel / userspace behaviour, including
indeed spying on ttys (see the ttyspy.stp example). You would definitely
not want to hand such power to everyone, just as you wouldn't hand out root
passwords to everyone.

Systemtap also has lower-privilege modes ("stapusr"), which are carefully
limited to allow people to only observe and affect their own userspace processes.
These limitations exclude the ability to spy on other users or on the kernel.
It takes a little one-time setup work for the sysadmin to get this sort of
operation enabled (because it relies on network services & cryptography); see
the privilege-related sections in stap(1) and stap-server(8), and the
README.unprivileged file in the systemtap source/binary distributions.

2 members found this post helpful.

Furthermore ... you should never be using passwords with ssh anyway. You should always be using keys, and encrypting those keys.

Thanks

Those precautions don't do anything against an attacker who has control over the kernel. The moment the ssh client gets to decrypt those keys, a kernel-resident tool can grab them.