Decrypting SSH traffic



In order to set up a honeypot system, it would be quite useful to
decrypt all the SSH traffic to and from the machine. The best way to do
this IMHO would be to deploy a monitoring machine attached to the same
hub (not switch) as the honeypot using a one-way ethernet cable.

One should be able to decrypt SSH sessions from the captured traffic
using the host's private key of the honeypot, because AFAIK that key is
used to encrypt the symmetric random session key (blowfish). Thus far
I've not found any applications that can do this. NetIntercept can
decrypt SSH traffic, but requires patching of the OpenSSH server, which
could be detected by an attacker.

Before I start coding myself, does anyone know if my theory is correct?
And is there really no existing application to do this or did I just not
look hard enough.

Steven
.