Openssh · Openssh-Portable · CVE-2003-0190
**Name of the Vulnerable Software and Affected Versions**
OpenSSH-portable versions 3.6.1p1 and earlier
**Description**
The issue allows remote attackers to determine valid usernames via a timing attack when a user does not exist, due to the immediate sending of an error message with PAM support enabled. This can lead to a violation of confidentiality. The vulnerability can be exploited remotely.
**Recommendations**
For OpenSSH-portable versions 3.6.1p1 and earlier, consider disabling PAM support as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.