I think that the vulnerability which you pointed out is: (1) Usually Client(Bob) can check whether he is really connected to the Server(Alice) by checking the Server's host key with the data which Bob has in the known_host directory. But in the very first connection to the Server, the host key is not installed yet. So in this occation Eve might BE ABLE to IMPERSONATE Alice by sending Eve's host key.
(2) If Eve pretends Alice Server, Bob would send his authentication information, which Eve receives and later she might use to login to Alice with Bob's account. Or Eve might forward the authentication information to Alice and send Eve's session key to both Bob and Alice. ==================== (1)'This MitM can be detected(avoided) in following ways: (a) System Administrator tells the fingerprint of Alice's host key to Bob (either offline or through another trusted channel) and asks him to check the fingerprint shown on the console together with the initial alert message. -It is virtually impossible to forge a public-private key pair with the SAME fingerprint as Alice's pubkey. (b) Bob's terminal be configured to reject all unknown hosts ("StricHostKeyChecking Yes"in the OpenSSH) and Alice's host key is supplied & installed offline. However, (b) is rather burdensome and there are always sufficient number of careless users, who overlook the fingerprint mismatch. Therefore there is a chance for Eve to succeed in this attack. (2)'If Eve succeeds in pretending Alice's node, Bob's account is stolen and the session is open to eavesdrop -as long as PASSWORD authentication is used in version 1. Therefore SSH(version 1) using password authentication is by NO MEANS secure shell. I have demonstrated this kind of MitM attack in a lecture. However, authentication using either RSA or DSA can avoid stealing the authentication information, because the authentication information(secret key) is not sent to the Server. It might be possible to just forward the authentication information to Alice and send Eve's session key to A & B, to make the session decryptable for EVE. But it is detected during the user authentication. Therefore there are still a number of obstacles to Eve's perfect crime, as long as RSA/DSA authentication is used. If password authentication is unavoidable, at least protocol 1 be disabled. It is because most (every?) MitM tools request protocol version 1 in establishing the session. I am not sure whether protocol 2 detects that the authentication process is eavesdropped. -- Masahito Gotaishi, Researcher R & D Initiative, Chuo University 1-13-27 Kasuga, Bunkyo, Japan, 112-8551 DDI:03-3817-1621, FAX:03-3817-1606