Security Issue - Electerm does not verify the server fingerprint which makes it vulnerable to mitm attacks

Electerm Version and download file extension(Electerm版本和下载文件后缀)

electerm-1.22.30-linux-x64.tar.gz

Platform detail (平台详情)

Ubuntu 22.04

What steps will reproduce the bug?(重新问题的详细步骤)

In this example SSH-MITM will be used as man in the middle server

• configure a new ssh connection
  • host: localhost
  • port: 10022
• connect to the ssh server
• you can see in SSH-MITM that the connection is etablished
• you are prompted to enter the password

What should have happened?(期望的结果)

When connecting to a ssh server, the server fingerprint should be verified.

If the client connects for the first time, the user must be prompted to verify the fingerprint.

If there is already a known fingerprint, but the known fingerprint does not match the servers fingerprint a warning should be presented and the connection must be aborted.

Would this happen in other terminal app(是否能够在其他同类软件重现这个问题)

When using other clients like OpenSSH, PuTTY, WinSCP, ... the user is prompted to verify the server fingerprint.

Additional information(其他任何相关信息)

You can read more about the fingerprint in SSH-MITMs documentation: https://docs.ssh-mitm.at/user_guide/fingerprint.html

There are other fingerprint related attacks which can lead to an information leak. A server can determine if a client already knows a fingerprint or not. This attack is not relevant for electerm, because electerm always uses the same server-host-key-algorithm order.