(no title)

First, if you use an SSH CA, you don't necessarily have the first-use problem at all; that's part of the point of SSH CAs. You've resolved that problem the same way TLS does.

Second, an attacker targeting your keypair-backed SSH session on an insecure first-use gets your session; against a password, they get your password, which is strictly worse.

It's not my claim that keypairs neatly solve the first-use problem with SSH (though: that problem can be solved, with more keypairs). It's that keys are categorically better than passwords. Which, of course, they are.

The alarming thing about this thread is that there's a couple people here that clearly seem to believe logging in with a password to a "new" SSH server is safe. It's literally the basis for the "Wall of Sheep" at hacker conferences; they were doing it at Usenix when I was there in 1998.

> If you engage in a proof of private key ownership for your login, a man in the middle can use that exchange to log into another server that has the same public key.

No, this is not true. The proof of private key ownership is bound to that specific SSH session (identified by some shared secret established via DH). This means the attackers options are: MITM the DH: Then your authentication won't work against any server. Don't MITM the DH but forward your authentication to the wrong server: Then you're on the wrong server (you might not notice), but the attacker cannot look into your session or modify anything.

He can do it once, maybe, if you don't authenticate the server. With a password, he can do it any number of time, to any number of targets, and there's no way to catch it.

Yes, it is still not perfect, but here's the advantage.