OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. References: https://github.com/openssh/openssh-portable/blob/d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd/auth2-pubkey.c#L261-L265 https://github.com/openssh/openssh-portable/pull/270 https://rushter.com/blog/public-ssh-keys/ https://utcc.utoronto.ca/~cks/space/blog/tech/SSHKeysAreInfoLeak
Marking Services affected/delegated for presence of the affected code. Minimal likelihood of exploit.
Marking RHEL8 and RHEL9 as delegated as the code is present, however upstream seems to not recognize this as a vulnerability although it has a CVE ID assigned. Also it seems there's no fix present in upstream as the pull request seems to be open and in draft state yet.
Created openssh tracking bugs for this issue: Affects: fedora-all [bug 2056817]
Closing this as NOTABUG as upstream and Red Hat doesn't consider it to be a security vulnerability.