You could use SSH v2 with TCPWrappers set up you're host.allow file and write a script that writes the history file to a log and tail -f the log in another terminal for real time monitoring. SSH does not send plain text passwords. Therefore they will need to hook up first, enter their password which will be logged in the history file and then get bounced. Leaving a nice trail. OR, you didnt specify which login they are using. Simply deny shell access for that login and the above should work with SSH v1 without wrappers. Some SSH expert correct me if I'm wrong. Just offering ideas so be gentle.