According to http://en.wikipedia.org/wiki/Secure_Shell#Key_management, ssh is vulnerable to “man-in-the-middle” attack when establishing the first connection with server.
SSH also supports password-based authentication that is encrypted by automatically generated keys. In this case the attacker could imitate the legitimate side, ask for the password and obtain it (man-in-the-middle attack). However this is only possible if the two sides have never authenticated before, as SSH remembers the key that the remote side once used.
Does VPN suffer from the same “weakness”?
If VPN server is authenticated using the key which is known to the client, then there’s no problem – the key is already known (and supposedly trusted) and the client can be sure that it has connected to the legitimate server.
The same applies to SSH. Wording in wikipedia is not exactly correct – for the first connection to be reliable the client should know the valid server key. It’s not important if “they have authenticated before”. It’s important that the client trusts the key.
How can the key be trusted on the client? When X.509 certificate is used in SSL/TLS, it’s validated according to sophisticated rules and the certificate chain is built up to the trusted root certificate. If the chain can’t be built, then the end-entity certificate is not trusted. In SSH there are no certificate chains and the only way the client can trust the server is when the client has server’s key transferred using some other mechanism (voice call or paper or USB stick or separate SSL/TLS connection, whatever).