COMMAND

    ssh

SYSTEMS AFFECTED

    ssh-2.0.12 (at least)

PROBLEM

    Alfonso  Lazaro  Tellez  found   following.   It  was  tested   on
    ssh-2.0.12.  When  a ssh client  connects to the  daemon it has  a
    number (default three) of  attempts to guess the  correct password
    before disconnecting if you try  to connect with a correct  login,
    but you only  have once if  you try to  connect with a  no correct
    login.  Example;  alfonso is not user ( login ) in 192.168.0.1

        $ssh 192.168.0.1 -l alfonso
        alfonso's password: <hit ENTER key>

        Disconnected; authentication error (Authentication method disabled.).
        $

    altellez is user ( login ) in 192.168.0.1

        $ssh 192.168.0.1 -l altellez
        altellez's password: <hit ENTER key>
        altellez's password:

    Now the  remote attacker  known that  altellez is  a true login in
    192.168.0.1.

SOLUTION

    Edit the file sshd2_config  (usually at /etc/ssh2), set  the value
    of "PasswordGuesses" to 1.