A vulnerability in OpenSSH could allow an attacker to make up to 10,000 password entries during the open source tools' “login grace time,” also known as a brute force attack.
OpenSSH sets this grace time to two minutes by default, the researcher known as kingcopes wrote in a blog post. The post included exploit code to use against OpenSSH version 6.9, but a separate post said the exploit also works against other versions, including a 2007 release of the FreeBSD operating system.
Kingcopes noted there is no delay between authentication attempts, “but this is another issue that makes this vulnerability more effective,” the post stated.
ArsTechnica wrote that a cryptographic key pair of at least 2,048 bits in length should help fend off an attack, so long as the private key is protected by a strong password.