Comment 2 for bug 654946

Its really not that bad without ssl.
The way it would work would be:
a.) user pushes button says "enable ssh with password"
b.) awstrial arranges (via ssh) for the instance to allow ssh and sets a one time use password for the user (expiring the account, forcing password change)
c.) awstrial shows password to the user the password

The potential for error is not in man in the middle masquerading as awstrial, but in seeing the password.

The sniffer could then ssh to the system first, but would be forced to change password.

The original user would then be locked out.

The potential for concern is if the sniffer ssh'd in and set the password back to the original, so the user could get in and was unknown that someone else had gotten in and is now keylogging them (or some such).