OpenSSH server was found to respond differently to failed GSSAPI authentication attempts when the target user existed versus when that user did not exist. A remote attacker could use this bug to test for the existence of particular usernames on a target system.
If GSSAPI Authentication is not required, this flaw can be mitigated by changing the global configuration in /etc/ssh/sshd_config
from GSSAPIAuthentication yes
to GSSAPIAuthentication no
.