On Thu May 22 2008, Toshio Kuratomi wrote:
It seems like this would be open to attack in the special case where
user has never logged into 1) The server they think they're connecting
to 2) The machine the malicious server is actually trying to
authenticate them against. In this scenario the client doesn't have
host keys for either of the remote machines so it's unable to verify
that the malicious server is lying to it.
This is also not possible with public key authentication, because the server
needs to create a signature with the host key when the session encryption key
is generated. In case the attacker forwards the network traffic in this phase
to the other server, he will not be able to decrypt the authentication phase.
If he uses its own host key, then the signature used for authentication will
not be accepted by the other server.