Intercept public key authentication and put client in fake environment

[jtesta]

Public key authentication doesn't divulge any useful information to an attacker, hence a true MITM can't be done. However, it is possible to intercept the connection and drop the victim into a fake environment hosted on the attacker's machine. This would be difficult to trick humans with (since they would expect the target server to be a certain way, and would quickly notice the glaring differences), but automated client processes could leak lots of sensitive information.

For example, an automated client process may ignore the mismatched host key, log in with key authentication (which drops them into a fake environment--no interaction with the real server ever occurs), then immediately issue a sudo or su command and supply the root password (which we can log!). Of course, after that, the client would try to run programs/read files that don't exist, which would result in failure. However, the attacker can potentially observe this process, update their fake environment iteratively, and eventually provide the structure that the automated client expects, yielding more sensitive data.

This would be rather sneaky!