I guess you're saying that a challenge is tightly packed with a server ID and processed by the webauthn client lib, so a middleman cannot separate and forward the same challenge from its own server. I don't know the exact details of the ssh protocol, but I see no reason why ssh can't do the same.
If we are simply talking about ssh users ignoring fingerprint warnings then I don't see how this is an ssh weakness. A fingerprint change warning is basically saying "you're connecting to a phishing site" as I see it.
> If we are simply talking about ssh users ignoring fingerprint warnings then I don't see how this is an ssh weakness.
I didn't say it was an SSH weakness. I said that it was not "solved" problem in that most users I have seen completely ignore those warnings from SSH. So the problem persists even though SSH does it right.
With WebAuthn, the problem disappears. So that's an improvement for the users.
Don't get me wrong: I love SSH. I just think it's wrong to say that WebAuthn doesn't bring any kind of security to users.