When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm. If real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter response time from the server for non-existing users. This allows remote attacker to enumerate existing users on system logging via SSHD. Published in: http://seclists.org/fulldisclosure/2016/Jul/51 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210
