Deepthix .
← Retour au blog
tech 9 May 2026

Securing the First SSH Connection: Stopping MITM Attacks on Any VPS or Cloud Provider

Learn how to secure your first SSH connection by preventing Man-in-the-Middle (MITM) attacks on any VPS or cloud provider. Use cloud-init to inject temporary SSH keys and ensure a secure connection.

Article inspired by the original source
Stop MITM on the first SSH connection, on any VPS or cloud provider ↗ www.joachimschipper.nl

Introduction

When deploying a new Virtual Private Server (VPS) or cloud instance, the first SSH connection is critical. One major risk is the Man-in-the-Middle (MITM) attack, where an attacker can intercept and modify communication between you and your server. In this article, we'll explore an effective method to secure this initial SSH connection using a simple script based on cloud-init.

Understanding MITM Attacks

MITM attacks occur when an attacker inserts themselves between two communicating parties, intercepting and potentially modifying exchanged messages. In the context of an SSH connection, this means the attacker can impersonate your server, capture sensitive information, or inject malicious commands.

The Traditional Method and Its Limitations

Traditionally, on the first SSH connection, you are asked to trust the server by adding its key to your known_hosts file. This relies on the Trust On First Use (TOFU) principle. However, this leaves a vulnerability window where an attacker can present a fake key.

The Cloud-init Solution

The proposed solution uses cloud-init, a tool widely supported by cloud providers like AWS, Google Cloud, and Hetzner. The idea is to temporarily inject a private SSH key via cloud-init, which is then used to authenticate the first SSH connection.

Implementation Steps

  1. Temporary Key Injection: Using cloud-init, you inject a temporary SSH key directly into the instance upon creation.
  2. Key Validation: Use this temporary key to establish a secure SSH connection and retrieve the server's real and permanent SSH key.
  3. Updating known_hosts: Add the permanent key to your known_hosts file for future connections.

Benefits of This Approach

  • Increased Security: The first SSH connection is secured, eliminating the risk of interception by a MITM attacker.
  • Provider Independence: Works with any cloud provider supporting cloud-init.
  • Protection of Sensitive Data: Avoids leaving sensitive private keys in cloud-init userdata, reducing the risk of leaks.

Limitations and Considerations

While this method is robust, it requires initial configuration via cloud-init, which may be a hurdle for some users. Additionally, managing and securing the temporary keys properly is essential to prevent any risk of compromise.

Conclusion

Securing the first SSH connection is essential to protect your cloud infrastructure against MITM attacks. By using the method described, you can ensure that your initial connection is as secure as possible. For more information and to discuss implementing this solution in your project, let's discuss your project in 15 minutes.

References

  • [cloud-init Documentation](https://cloud-init.io/)
  • [Hetzner Cloud](https://www.hetzner.com/cloud)
SSH MITM cloud-init VPS cybersecurity
Deepthix newsletter · 100% AI · every Monday 8am

An AI agent reads tech for you.

Our AI agent scans ~200 sources per week and ships the best articles to your inbox Monday 8am. Free. One click to unsubscribe.

Visit the newsletter page →

Want to automate your operations?

Let's talk about your project in 15 minutes.

Book a call