am I NOT hacked?

[Joe Parsons]

Sorry, one paragraph of my last reply appears to be screwed up on the web archive.   You can ignore that reply and just read the following.  I'm sorry for the confusion.   
 
 
Ok, thanks a lot for all your kind help.  I learned the pwd_mkdb manpage and the databases as you suggested.
 
To clarify, I understand 9.1 kernel contains the non-vulnerable version of openssl library, hence mere apache/https is not vulnerable.  However the vulnerable openssl port is installed for the mail software to provide imaps/pops/smtps services, so they are vulnerable.
 
The following reply is what I'm confused:
 
> In any case, heartbleed does *not* facilitate remote code execution or
> code injection, only information retrieval, so unless your passwords
> were stored in cleartext (or a weakly hashed form) in the memory of an
> Internet-facing SSL-enabled service (such as https, smtp with STARTTLS
> or imaps, but not ssh), you cannot have been "hacked" as a consequence
> of heartbleed.
 
I ssh into the system, and I /usr/bin/su to become root.  Do my shell passwords show up in in clear text in the memory briefly, so the attacker could happen to harvest them?  In another word, on a system with the vulnerable openssl port, do we need to change the shell password for root and other users, if these passwords are ONLY used in ssh and /usr/bin/su ?
 
I googled and found few result, almost all are focused on changing user mail passwords and server certificates.  Only found this page said they changed server root password:
 
http://digitalopera.com/geek-rants/what-were-doing-to-combat-heartbleed/
 
Thanks, Joe