How does SSH client ensure that SSH server bears the private key, which is the pair of the public key in client’s "known_hosts" file?

How does SSH client ensure that SSH server bears the private key, which is the pair of the public key in client’s "known_hosts" file?

An SSH client obviously authenticates an SSH server in some way. Because when the key of the server changes, the SSH client software gives us a loud warning about the key of the server being changed and this might be a MitM attack.

However, does the client do this authentication using a challenge? That is, does the SSH client encrypt a piece of randomly generated data using the server's public key, and expect that the server will be able to decrypt this using its private key and send back the decrypted data, in order to authenticate the server?