sshd-auth likely remains stuck in a busy-poll loop. A diagnosis report and patch proposal were created locally.
Published session
Prompt
## Plan Pass
You are planning a fixer patch before any edits happen.
Read the evidence bundle at `./evidence.json`. The prepared workspace is `./workspace` and it was acquired via `debian-source`. The original pre-edit snapshot is available at `./source` if you need to inspect it. For interpreter processes, plan from the script/application entrypoint evidence first and include the runtime only as a second investigation target unless the evidence proves a runtime bug.
Validation expectation: try the project-level build/test entrypoint from the workspace root before reporting only a focused leaf compile. Detected candidate(s): `./configure && make`. If the project-level command fails because dependencies or generated files are missing, include the exact command and failure reason in `## Validation`, then run the narrowest relevant compile/test that is still reproducible from a clean checkout.
Upstream-style expectation: before planning or editing, check for contribution/style docs (`CONTRIBUTING`, `HACKING`, `README-hacking`, `README.md`, `docs/`, `dev-docs/`) and scan the touched subsystem for local helpers. If the project has wrappers for file IO, path-relative IO, process spawning, memory allocation, logging, locking, or platform compatibility, prefer those wrappers over generic libc/std APIs. Do not invent a reproducer or user-visible failure that is not in the evidence bundle; if the evidence is profiler-only or indirect, describe it as a targeted mitigation or stop with a diagnosis instead of presenting a speculative patch as a confirmed bug fix. In the plan and final validation, name any such helper, convention, or evidence limit you found, or say that no relevant local helper was found. Treat this as a `openssh` upstream patch, not just a Debian-local workaround. Inspect the relevant code, nearby callers, project contribution docs, and local helper/compat APIs, but do not edit files in this pass.
Return a short markdown plan with these exact sections:
## Problem
## Evidence Confidence
## Proposed Subject
## Patch Plan
## Risks
## Validation
Classify `## Evidence Confidence` as exactly one of `reproduced`, `observed`, or `inferred`. Use `inferred` only for a no-patch diagnosis/report plan unless you can name the extra evidence you will collect before editing; inferred source patches are blocked by Fixer because they are not pull-request-ready. For `observed` source-patch plans, plan to say in the final `## Issue Connection` that the failure was observed by Fixer and not independently reproduced. The plan must explain how the proposed code change addresses the observed issue evidence, call out any prior Fixer patch that should be improved or replaced, reject awkward control flow such as avoidable `goto` if there is a cleaner bounded alternative, name any local helper APIs or maintainer conventions the patch should follow, and keep the intended maintainer-facing explanation clear enough that someone unfamiliar with the local complaint wording can still follow the fix. In `## Validation`, name the reproducible configure/build/test entrypoint you will try from the workspace root before any focused leaf compile or smoke check, and include one bounded independent reproduction attempt for the collected failure signal when it is safe and cheap. Do not plan to claim `reproduced` unless that reproduction command or test can actually show the failure.
## Patch Pass
You are working on a bounded fixer proposal.
Read the evidence bundle at `./evidence.json`. The prepared workspace is `./workspace` and it was acquired via `debian-source`. Produce the smallest reasonable patch for the target repository, keep the change upstreamable, prefer the clearest control flow available, and do not keep avoidable `goto` when a simpler structure would read better. Before introducing new file, process, allocation, locking, networking, or platform APIs, inspect nearby code and project contribution docs for existing helpers or compatibility wrappers and use those local patterns unless you can explain why they do not fit. Validate from a reproducible workspace-root entrypoint before falling back to focused leaf commands; if a build or test cannot run, report the exact command, the exact blocker, and any narrower check you ran instead. During validation, also try one bounded independent reproduction of the collected failure signal when it is safe and cheap, such as a failing test, smoke command, perf/strace comparison, or before/after runtime check. Only use `reproduced` if that command or test actually reproduced the failure; otherwise keep `observed` and report the reproduction blocker. The final explanation must connect the observed issue evidence to the actual code change, not just paraphrase the diff. Write like a maintainer is going to read the patch mail cold: explain the bug in plain language, define subsystem-specific jargon the first time you need it, and make the causal story obvious. Explicitly classify evidence confidence as `reproduced`, `observed`, or `inferred`: `reproduced` means you reproduced the failure locally; `observed` means Fixer has direct crash/log/trace evidence but you did not independently reproduce it; `inferred` means the source patch is not pull-request-ready, so do not leave a source diff unless you first gather stronger observed/reproduced evidence; otherwise return a no-patch diagnosis/report. For any source-changing `observed` patch, say explicitly in `## Issue Connection` that the failure was observed by Fixer and not independently reproduced. If you introduce non-obvious state translation, index remapping, or backend split logic, add a short source comment that explains the invariant being preserved.
Start by explaining the likely root cause from the collected perf, strace, and /proc evidence. If you cannot land a safe patch, leave a diagnosis that is strong enough for an upstream bug report.
Validation expectation: try the project-level build/test entrypoint from the workspace root before reporting only a focused leaf compile. Detected candidate(s): `./configure && make`. If the project-level command fails because dependencies or generated files are missing, include the exact command and failure reason in `## Validation`, then run the narrowest relevant compile/test that is still reproducible from a clean checkout.
Upstream-style expectation: before planning or editing, check for contribution/style docs (`CONTRIBUTING`, `HACKING`, `README-hacking`, `README.md`, `docs/`, `dev-docs/`) and scan the touched subsystem for local helpers. If the project has wrappers for file IO, path-relative IO, process spawning, memory allocation, logging, locking, or platform compatibility, prefer those wrappers over generic libc/std APIs. Do not invent a reproducer or user-visible failure that is not in the evidence bundle; if the evidence is profiler-only or indirect, describe it as a targeted mitigation or stop with a diagnosis instead of presenting a speculative patch as a confirmed bug fix. In the plan and final validation, name any such helper, convention, or evidence limit you found, or say that no relevant local helper was found. Treat this as a `openssh` upstream patch, not just a Debian-local workaround.
Keep the change narrowly scoped and summarize validation clearly.
In every authoring pass, your final response must start with `Subject: <single-line git commit subject>` and then include these markdown sections exactly:
## Commit Message
A short upstream-friendly explanation of what changed and why. Write it in plain language that a maintainer can follow without local complaint context. If you use subsystem jargon, define it immediately.
## Evidence Confidence
Exactly one word: `reproduced`, `observed`, or `inferred`. Use `reproduced` only when you reproduced the failure locally with a command or test, and include that command/test in `## Validation`. Use `observed` when Fixer has direct crash/log/trace evidence but you did not independently reproduce it. If `## Git Add Paths` lists source files for an `observed` patch, `## Issue Connection` must explicitly say the failure was observed by Fixer and not independently reproduced. Use `inferred` for profiler/strace/indirect evidence; inferred responses may be no-patch diagnoses or reports, but inferred source patches are not pull-request-ready until stronger evidence is gathered.
## Issue Connection
Write this as maintainer-facing patch mail, not as local Fixer notes. Cover four things explicitly in readable sentences: the user-visible symptom or the exact collected signal, the code-level cause or the cautious inference from evidence, the specific change you made, and the expected effect. Do not invent a reproducer, command line, crash, or user-visible failure that is not present in the evidence bundle. If the evidence is direct-but-not-reproduced, say it was observed by Fixer and not independently reproduced. If the evidence is indirect and you did not gather stronger evidence, do not leave a source diff; write a no-patch diagnosis/report instead. Include an explicit effect sentence such as `The expected effect is ...`, `This should reduce ...`, or `This prevents ...` for source patches. If the logic is non-obvious in code, mention that you added a short explanatory comment.
## Git Add Paths
List the repo-relative paths that belong in the final patch, one per line. Use `None` only when you intentionally made no source changes. Include intentionally new files, and do not list generated build artifacts.
## Validation
List the checks you ran, or say clearly that you could not run them. Include the independent reproduction command/test and result when `## Evidence Confidence` is `reproduced`; if reproduction was attempted but blocked, name the exact blocker and keep confidence at `observed` or `inferred`.
Before editing, read the plan at `./plan-output.txt` and follow it unless the code proves part of it wrong. If you change course, say so explicitly in the final write-up instead of silently drifting from the plan.
## Review Pass 1
You are reviewing a freshly generated fixer patch.
Read the evidence bundle at `./evidence.json`. The prepared workspace is `./workspace` and it was acquired via `debian-source`. Review the first patch pass. The original pre-edit snapshot is available at `./source` for diffing. The workspace currently changes these repo-relative paths: auth2.c. Verify that `## Git Add Paths` matches this exact set and that `## Issue Connection` explains every shipped functional file.
Upstream-style expectation: before planning or editing, check for contribution/style docs (`CONTRIBUTING`, `HACKING`, `README-hacking`, `README.md`, `docs/`, `dev-docs/`) and scan the touched subsystem for local helpers. If the project has wrappers for file IO, path-relative IO, process spawning, memory allocation, logging, locking, or platform compatibility, prefer those wrappers over generic libc/std APIs. Do not invent a reproducer or user-visible failure that is not in the evidence bundle; if the evidence is profiler-only or indirect, describe it as a targeted mitigation or stop with a diagnosis instead of presenting a speculative patch as a confirmed bug fix. In the plan and final validation, name any such helper, convention, or evidence limit you found, or say that no relevant local helper was found. Treat this as a `openssh` upstream patch, not just a Debian-local workaround.
Validation expectation: try the project-level build/test entrypoint from the workspace root before reporting only a focused leaf compile. Detected candidate(s): `./configure && make`, `make` and, if available, `make check`. If the project-level command fails because dependencies or generated files are missing, include the exact command and failure reason in `## Validation`, then run the narrowest relevant compile/test that is still reproducible from a clean checkout. The latest author response is at `./patch-output.txt`. Inspect the current code and changed paths like a strict code reviewer. Focus on correctness, regressions, maintainability, awkward control flow such as avoidable `goto`, missing validation, weak or non-gittable commit message text, and explanations that fail to connect the observed issue evidence to the code change. Also review the maintainer experience: the patch mail should be easy to accept upstream, the user-visible bug should be explained in plain language, subsystem-specific jargon should be defined when first used, and any non-obvious state translation or index remapping in code should have a short explanatory comment. Reject patches that omit `## Evidence Confidence`, use anything other than `reproduced`, `observed`, or `inferred`, or sound more certain than that evidence level allows. Reject patches that claim `reproduced` unless `## Validation` names the concrete reproduction command or test and its result. Reject patches that invent a reproducer, command line, crash, or user-visible failure not present in the evidence bundle; indirect profiler or strace evidence may justify a cautious mitigation, but the author must say it is indirect instead of presenting it as a confirmed upstream bug. Reject patches that introduce generic libc/std APIs when nearby code or project docs provide a local compat/helper API for the same job, unless the author explicitly justifies the exception. Reject validation that only reports a leaf object/syntax build when a project-level configure/build/test entrypoint exists and was not attempted; if a full build cannot run, the author must show the exact failed command and blocker.
Do not apply code changes in this pass.
Return a short markdown review report. The first non-empty line must be exactly one of:
RESULT: ok
RESULT: fix-needed
If you choose `RESULT: fix-needed`, add a `## Findings` section with concrete, actionable items.
## Refinement Pass 1
You are refining a fixer patch after an explicit code review.
Read the evidence bundle at `./evidence.json`. The prepared workspace is `./workspace` and it was acquired via `debian-source`. Read the latest author response at `./patch-output.txt`. Read the review report at `./review-1-output.txt`. This is refinement round 1. The original pre-edit snapshot is available at `./source` if you need to compare the current patch against it. Re-read the planning pass at `./plan-output.txt` before editing. The workspace currently changes these repo-relative paths: auth2.c. Either keep that exact set synchronized with `## Git Add Paths` and `## Issue Connection`, or revert any unintended file before you answer.
Upstream-style expectation: before planning or editing, check for contribution/style docs (`CONTRIBUTING`, `HACKING`, `README-hacking`, `README.md`, `docs/`, `dev-docs/`) and scan the touched subsystem for local helpers. If the project has wrappers for file IO, path-relative IO, process spawning, memory allocation, logging, locking, or platform compatibility, prefer those wrappers over generic libc/std APIs. Do not invent a reproducer or user-visible failure that is not in the evidence bundle; if the evidence is profiler-only or indirect, describe it as a targeted mitigation or stop with a diagnosis instead of presenting a speculative patch as a confirmed bug fix. In the plan and final validation, name any such helper, convention, or evidence limit you found, or say that no relevant local helper was found. Treat this as a `openssh` upstream patch, not just a Debian-local workaround.
Validation expectation: try the project-level build/test entrypoint from the workspace root before reporting only a focused leaf compile. Detected candidate(s): `./configure && make`, `make` and, if available, `make check`. If the project-level command fails because dependencies or generated files are missing, include the exact command and failure reason in `## Validation`, then run the narrowest relevant compile/test that is still reproducible from a clean checkout. Address the review findings with the smallest reasonable follow-up changes. If the review identifies a runtime or correctness bug in the changed code, you must update the code itself before answering; a metadata-only response is not sufficient. Keep the patch upstream-friendly, use local project helpers and compat APIs when available, avoid awkward control flow when a simpler structu
[truncated 6838 bytes]
Response
## Plan Pass
## Problem
Fixer observed `sshd-auth` in preauth handling after an auth failure: monitor read, about 500 ms `clock_nanosleep`, then write/poll on the client fd and `ECONNRESET`. The bundle labels this as busy-poll, but the process state was sleeping and CPU was only 0.1%, so the stronger maintainer-facing problem is narrower: auth failure delay can keep a preauth child alive after the peer has already disconnected.
## Evidence Confidence
observed
## Proposed Subject
`sshd-auth: interrupt auth failure delay on peer disconnect`
## Patch Plan
Change `auth2.c` around `ensure_minimum_time_since()` so the failure delay waits with `ppoll()` on the client connection fd instead of unconditional `nanosleep()`, and returns a status when `POLLHUP`, `POLLERR`, or `POLLNVAL` shows the peer is gone. `input_userauth_request()` should then return `SSH_ERR_CONN_CLOSED`/`SSH_ERR_SYSTEM_ERROR` through the existing dispatch path instead of calling `userauth_finish()` and writing a failure packet to a reset socket.
Keep the control flow local and bounded: no avoidable `goto`; preserve the existing delay when the fd is merely readable so timing behavior is not weakened for live clients. Use OpenSSH conventions already present in this subsystem: `monotime_double()`, `struct pollfd`, `ppoll()`, `SSH_ERR_*` returns, `debug3_f()`, and dispatch fatal handling. No relevant higher-level local helper for “sleep until disconnect or timeout” was found; `ptimeout` helpers exist for poll deadlines, but this function already computes a relative `timespec`.
No prior Fixer patch was found to improve or replace; only Debian quilt patches and the Fixer baseline are present.
## Risks
Skipping the delay too broadly could change auth timing behavior, so the patch should only abort on hangup/error, not ordinary `POLLIN`. Returning a connection error from `input_userauth_request()` must preserve the existing cleanup of parsed strings and rely on `ssh_dispatch_run_fatal()` for final logging/exit.
## Validation
First try the project-level entrypoint from the workspace root: `./configure && make`. If that fails due to missing dependencies or generated files, record the exact failure and then run the narrowest relevant compile, likely `make sshd-auth` or the object compile for `auth2.o`.
Bounded independent reproduction attempt before claiming more than “observed”: run a locally built `sshd`/`sshd-auth` under `strace -f -e trace=read,write,ppoll,clock_nanosleep` on a high port with a temporary config, trigger a failed auth attempt, disconnect during the failure delay, and compare whether the child wakes on disconnect instead of completing the full sleep and writing to a reset socket. If this cannot be made reproducible safely, final wording should say the Fixer failure was observed, not independently reproduced.
## Patch Pass
Subject: sshd-auth: interrupt auth failure delay on peer close
## Commit Message
The authentication failure delay used `nanosleep()`, so a preauth `sshd-auth` child could continue sleeping even after the client had already disconnected. Replace that sleep with a `ppoll()` wait on the packet input fd, preserving the delay for live clients but returning through the existing dispatch error path when the peer hangs up.
## Evidence Confidence
observed
## Issue Connection
Fixer observed `sshd-auth` with the syscall sequence `read`, `clock_nanosleep`, `write`, `ppoll`, then `ECONNRESET`; `/proc` showed the process sleeping with low CPU, so this is better treated as delayed cleanup after disconnect than as a confirmed CPU runaway.
The code-level cause is the authentication failure delay in `auth2.c`: after a failed non-`none` auth request, `ensure_minimum_time_since()` slept unconditionally before `userauth_finish()` tried to send the failure packet. If the client reset the connection during that delay, the child only noticed afterward.
I changed that delay to use `ppoll()` on `ssh_packet_get_connection_in(ssh)` with no requested input events, so normal client input does not shorten the timing delay, while `POLLHUP`/`POLLERR` wakes the child and returns `SSH_ERR_CONN_CLOSED`. I added a short comment explaining that invariant. `POLLNVAL` is mapped to `SSH_ERR_SYSTEM_ERROR` instead of the plan’s peer-close bucket because it means an invalid fd, not a remote hangup.
The expected effect is that `sshd-auth` exits through the existing connection-close handling when the peer disconnects during the auth failure delay, avoiding the later write/poll/read-reset sequence observed by Fixer. This failure was observed by Fixer and not independently reproduced.
Local conventions checked: only `README.md` was found among the requested contribution/style docs; nearby code uses `ppoll()`, `monotime_double()`, `ssh_packet_get_connection_in()`, `debug3_f()`, and `SSH_ERR_*` returns. No better higher-level helper for “sleep unless the peer hangs up” was found.
## Git Add Paths
auth2.c
## Validation
`./configure && make` failed initially with:
`configure: error: ./configure.ac newer than configure, run autoreconf`
`touch configure && ./configure && make` then completed successfully from the workspace root. The build produced existing warnings in unrelated files, but `auth2.o`, `sshd-session`, and `sshd-auth` built.
`git diff --check` passed.
Independent reproduction attempt: I tried a local uninstalled `sshd` smoke run with temporary host key and built helper paths:
`./sshd -t -f /dev/null -h "$tmpdir/ssh_host_ed25519_key" -o SshdSessionPath="$PWD/sshd-session" -o SshdAuthPath="$PWD/sshd-auth" -o PidFile="$tmpdir/sshd.pid" -o ListenAddress=127.0.0.1 -p 22222`
It was blocked by the local environment: `Missing privilege separation directory: /var/empty`. Since the runtime signal was not independently reproduced, confidence remains `observed`.
## Review Pass 1
RESULT: fix-needed
## Findings
1. `auth2.c`: The patch relies on `ppoll()` returning `POLLERR`, `POLLHUP`, or `POLLNVAL` while `pfd.events = 0`, but OpenSSH portable’s local compatibility implementation explicitly does not support those revents. See `openbsd-compat/bsd-poll.c`: it documents that `POLLERR`, `POLLHUP`, and `POLLNVAL` are not supported, and its `pselect()` fallback only populates requested `POLLIN`, `POLLOUT`, and `POLLPRI`. On platforms using this compat path, the new code will just wait out the full timeout and never observe the peer close, so the mitigation is not upstream-portable as written. Use a pattern that works with OpenSSH’s compat APIs or explicitly justify and guard native-only behavior.
2. `## Validation`: The authored response reports `./configure && make` and a smoke attempt, but project docs list `make tests` as the release/regression entrypoint (`README.md`, `regress/README.regress`, and `Makefile` has a `tests` target). Since the patch changes authentication behavior, validation should either run `make tests` or report the exact command and blocker.
## Refinement Pass 1
Subject: sshd-auth: interrupt auth failure delay on peer close
## Commit Message
After a failed authentication request, `sshd-auth` enforces a delay before sending failure. Make that delay wake when the client connection is closed, while preserving the delay for live clients.
## Evidence Confidence
observed
## Issue Connection
Fixer observed `sshd-auth` sleeping in `clock_nanosleep`, then writing to the client fd, polling it, and finally seeing `ECONNRESET`. `/proc` showed the process was sleeping with low CPU, so the likely root cause is delayed cleanup after the peer disconnects during the authentication failure delay, not a reproduced CPU runaway. This failure was observed by Fixer and not independently reproduced.
The code-level cause is that `ensure_minimum_time_since()` used unconditional `nanosleep()`, so a preauth child could wait out the whole delay before discovering that the client had already gone away. I changed it to wait with `ppoll()` on `ssh_packet_get_connection_in(ssh)`, request `POLLIN` for portable `ppoll()` compatibility, and use `recv(..., MSG_PEEK)` to distinguish EOF from queued data without consuming SSH packet input. The expected effect is that a peer close during the auth failure delay returns through the existing dispatch error path instead of waiting and then writing to a reset socket.
Review findings addressed: the patch no longer relies on unsupported compat `POLLHUP`/`POLLERR` reporting with no requested events, and `make tests` was run and its environment blocker is reported. I also kept the short comment explaining the `POLLIN` plus peek invariant.
Local conventions checked: `README.md` documents `./configure && make tests`; nearby code uses `ppoll()`, `monotime_double()`, `ssh_packet_get_connection_in()`, `debug3_f()`, and `SSH_ERR_*`. `misc.c` has `waitrfd()` and `ptimeout` helpers, but `waitrfd()` would spin on already queued live-client input here, so the local bounded loop is used instead.
## Git Add Paths
auth2.c
## Validation
`./configure && make` passed from the workspace root.
`make tests` was attempted from the workspace root. `file-tests` passed, then `t-exec` failed because the local test environment cannot start the proxy sshd: `Unsupported option UsePAM`, `Missing privilege separation directory: /var/empty`, `FATAL: sshd_proxy broken`.
`make sshd-auth` passed after refinement.
`git diff --check` passed.
Independent reproduction attempt: a local `./sshd -t` smoke command with temporary host key and built `SshdSessionPath`/`SshdAuthPath` was blocked by `Missing privilege separation directory: /var/empty`, so confidence remains `observed`.
## Review Pass 2
RESULT: ok
No blocking findings. `## Git Add Paths` matches the workspace diff exactly (`auth2.c`), and `## Issue Connection` explains the only shipped functional file.
The refinement addresses the prior portability issue by requesting `POLLIN` and using `MSG_PEEK` instead of relying on unsupported compat `POLLHUP`/`POLLERR` behavior. Validation is acceptable: project build was attempted, `make tests` was run with a concrete environment blocker, and focused rebuild/checks are reported.
Diff
diff --git a/auth2.c b/auth2.c
index 80f766e..55b2b71 100644
--- a/auth2.c
+++ b/auth2.c
@@ -31,6 +31,7 @@
#include <fcntl.h>
#include <limits.h>
+#include <poll.h>
#include <pwd.h>
#include <stdarg.h>
#include <string.h>
@@ -244,27 +245,76 @@ user_specific_delay(const char *user)
return MIN_FAIL_DELAY_SECONDS + delay;
}
-static void
-ensure_minimum_time_since(double start, double seconds)
+static int
+ensure_minimum_time_since(struct ssh *ssh, double start, double seconds)
{
struct timespec ts;
+ struct pollfd pfd;
double elapsed = monotime_double() - start, req = seconds, remain;
+ ssize_t n;
+ char c;
if (elapsed > MAX_FAIL_DELAY_SECONDS) {
debug3_f("elapsed %0.3lfms exceeded the max delay "
"requested %0.3lfms)", elapsed*1000, req*1000);
- return;
+ return 0;
}
/* if we've already passed the requested time, scale up */
while ((remain = seconds - elapsed) < 0.0)
seconds *= 2;
- ts.tv_sec = remain;
- ts.tv_nsec = (remain - ts.tv_sec) * 1000000000;
debug3_f("elapsed %0.3lfms, delaying %0.3lfms (requested %0.3lfms)",
elapsed*1000, remain*1000, req*1000);
- nanosleep(&ts, NULL);
+
+ pfd.fd = ssh_packet_get_connection_in(ssh);
+ /*
+ * Portable ppoll() compatibility reports requested events only.
+ * EOF is readable, so request POLLIN and peek without consuming data.
+ */
+ pfd.events = POLLIN;
+ while (remain > 0.0) {
+ ts.tv_sec = remain;
+ ts.tv_nsec = (remain - ts.tv_sec) * 1000000000;
+ pfd.revents = 0;
+ if (ppoll(&pfd, 1, &ts, NULL) == -1) {
+ if (errno != EAGAIN && errno != EINTR &&
+ errno != EWOULDBLOCK)
+ return SSH_ERR_SYSTEM_ERROR;
+ } else if (pfd.revents & POLLNVAL) {
+ errno = EBADF;
+ return SSH_ERR_SYSTEM_ERROR;
+ } else if (pfd.revents & (POLLIN|POLLERR|POLLHUP)) {
+ n = recv(pfd.fd, &c, 1, MSG_PEEK);
+ if (n == 0) {
+ debug3_f("peer disconnected during auth "
+ "failure delay");
+ return SSH_ERR_CONN_CLOSED;
+ }
+ if (n == -1) {
+ if (errno != EAGAIN && errno != EINTR &&
+ errno != EWOULDBLOCK)
+ return SSH_ERR_SYSTEM_ERROR;
+ } else {
+ /*
+ * Input is queued from a live client. Leave
+ * it queued and finish the remaining delay
+ * without polling it again, otherwise we would
+ * spin on the same byte.
+ */
+ remain = seconds - (monotime_double() - start);
+ if (remain > 0.0) {
+ ts.tv_sec = remain;
+ ts.tv_nsec = (remain - ts.tv_sec) *
+ 1000000000;
+ nanosleep(&ts, NULL);
+ }
+ break;
+ }
+ }
+ remain = seconds - (monotime_double() - start);
+ }
+ return 0;
}
static int
@@ -353,9 +403,11 @@ input_userauth_request(int type, uint32_t seq, struct ssh *ssh)
debug2("input_userauth_request: try method %s", method);
authenticated = m->userauth(ssh, method);
}
- if (!authctxt->authenticated && strcmp(method, "none") != 0)
- ensure_minimum_time_since(tstart,
- user_specific_delay(authctxt->user));
+ if (!authctxt->authenticated && strcmp(method, "none") != 0) {
+ if ((r = ensure_minimum_time_since(ssh, tstart,
+ user_specific_delay(authctxt->user))) != 0)
+ goto out;
+ }
userauth_finish(ssh, authenticated, method, NULL);
r = 0;
out: