alt Hacker NewsA public key is useless without the private key. Which the attacker in this unlikely scenario doesn't have.
So you login the first time and they either match, or they don't. If they don't you start over. The end.
Ignore the fact that most people will probably use the box to host a poorly coded vulnerable service anyway.
If you’re being MITM’d, they’ll also match, because you’ll end up connected to an environment of the attacker’s choosing.