It was found that dropbear with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts. This was fixed in dropbear-2013.59, as part of the following patch: https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86
Acknowledgments: Name: Gilford Martino (Bae Systems), Scott McKee (Bae Systems)
External References: https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86