A bug in OpenSSH allows an attacker to check whether user names are valid on a 'net-facing server - because the Blowfish algorithm runs faster than SHA256/SHA512.
The bug hasn't been fixed yet, but in his post to Full Disclosure, Verint developer Eddie Harari says OpenSSH developer Darren Tucker knows about the issue and is working to address it.
If you send a user ID to an OpenSSH server with a long but wrong password – 10 kilobytes is what Harari mentions in his post – then the server will respond quickly for fake users, but slower for real users.
As the post explains, it's particular to certain configurations:
When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code.
On this hard coded password structure the password hash is based on BLOWFISH $2 algorithm.