I'm sitting with a dilemma in trusting a server's Host Key fingerprint before password exchange.
Support Text: "To prevent this attack, each server has a unique identifying code, called a host key. These keys are created in a way that prevents one server from forging another server's key. So if you connect to a server and it sends you a different host key from the one you were expecting, PuTTY can warn you that the server may have been switched and that a spoofing attack might be in progress."
My question/s is/are in what way is the keys created that prevent a server from forging's another server's host key?
If I have another server's host key I can spoof being that server if I can intercept clients logging into that server, correct?
What mechanism can actually prevent this and how would the client actually still authenticate a server before logging on to it?