[pbhjpbhj]

The fingerprint is a hash of the key, so in theory -- say with a quantum computer -- I could create a key that's different and provides a hash-collision. Is that right?

It would just take many ages of the universe, at present, to calculate a collision, right?

[8organicbits]

There's a narrow window for that attack. The fingerprint is only used on the first connection, for manual verification. Any later connections would check the ~/.ssh/known_hosts which has the full public key.

If you somehow can MITM an SSH connection on the first connection, you can probably use any key. Most people don't check the fingerprint.

But you are correct, computing an SSH key with a collisionwis expected to take an infeasible amount of time/energy with current understanding of crypto and available computers.