SSHv1

the session key is generated by the client

then sent it ciphered with the server's public key he just received
attacker just have to use any public / private key pair
and wait the client accept to use that public key.

password client authentication:
sent in "clear text" in the ciphered tunnel

RSA client authentication:
server sends to client a ciphered challenge with an authorized public key
client proves he knows the private key by unciphered the challenge

sshmitm imposes authentication by password in sshv1.