This script is Copyright (C) 2003-2017 Tenable Network Security, Inc.
It is possible to enumerate valid users on the remote host.
The remote host seems to be running an SSH server that could allow an
attacker to determine the existence of a given login by comparing the
time the remote sshd daemon takes to refuse a bad password for a
nonexistent login compared to the time it takes to refuse a bad
password for a valid login.
An attacker could use this flaw to set up a brute-force attack against
the remote host.
Disable PAM support if you do not use it, upgrade to the OpenSSH
version 3.6.1p2 or later.
Risk factor :
Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.8
Public Exploit Available : true