>How to force user to user encrypted session only (never allow plain mode)? >forcing means on the server side, not client side. The ssf ACL directive amd maybe the "disallow bind_simple"