In some email I received from Bill Studenmund, sie wrote:
> On Thu, 6 Sep 2001, Bill Studenmund wrote:
> 
> > On Thu, 6 Sep 2001, Jim Breton wrote:
> >
> > > On Thu, Sep 06, 2001 at 01:03:44PM -0700, Bill Studenmund wrote:
> > > > The point of the paper is that you can watch an ssh session and have a
> > > > good idea when someone is interactivly typing a password.
> > >
> > > Doesn't OpenSSH mitigate this by sending bogus packets back to the client?
> 
> Just heard from one of the OpenSSH folks, the same one who pointed me to
> the paper. They don't have a solution at this time which is effective
> against this attack. So it's not just a matter of needing an upgrade. :-(

So it means you should be using OTP's for root access in situations where
ssh traffic crosses unfriendly networks.  For those already using OTP's,
this should come as no biggie.

Darren