A snooper at the line level would be able to see that you were SSH'ing to a given system and the amount of data transferred, but nothing more.
SSH has had very few vulnerabilities and has been really put through the ringer crypto-wise for quite some time. The protocol itself is likely quite solid. Of its common crypto algorithms, the only one I'd avoid is arcfour/RC4. It's an algorithm that's known to be somewhat weaker than other common algos. Blowfish, AES, CAST, Salsa20, Twofish, etc. are not known to have any practical real-world-usable attacks against full-round versions.
Keep in mind that in the crypto world a "break" is anything that shortens the time to recover the key from that of a brute force search. So if I find a shortcut to crack a 2^128 key size symmetric cipher in "only" 2^112 iterations, that's a break. But it's not useful in the real world. To be useful in the real world, a break has to shorten things down to... well... depends on the adversary but probably <2^64.
Of course you cannot rule out the possibility that the NSA has unpublished attacks against any of these, but most cryptographers I've read consider it somewhat unlikely that they have an unpublished attack good enough to efficiently crack them and read traffic in a real world scenario.
A passive eavesdropper sees very precise timing of every keystroke, as well as the timing and size of the response.
This is enough to reconstruct text being typed with surprisingly good accuracy.
also, what cipher suite does ssh use. does it have forward secrecy?
[edit1: to answer that last question; yes it does.]
[edit2: paper on keystroke timing attack - http://users.ece.cmu.edu/~dawnsong/papers/ssh-timing.pdf - each keystroke is a packet; passwords have no echo. this is from 2001 - it has suggestions like sending packets when idle, but i don't think they've been implemented.]
Is there something better?
Some people would argue that a very simple daemon with fewer features might be more secure because it has less attack area. For example Colin Percival of Tarsnap created spiped which essentially replaces 'ssh -L'. It only supports shared key authentication and AES-256 and consists of only about 4000 lines. He connects to ssh through a spipe tunnel.
If it's true for something like a web server, it ought to be true for SSH. Thanks for the link to spiped.
