CVE-2003-0190

OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist. This allows remote attackers to determine valid usernames via a timing attack.

http://lab.mediaservice.net/advisory/2003-01-openssh.txt