sshd blocking SIGALARM turns out to be due to tcpd

Wietse Venema wietse at
Thu Mar 2 08:41:49 EST 2006

Ian Jackson:
> I recently encountered a bug where some ssh login sessions would
> apparently inherit a blocked SIGALRM.  A web search showed up two
> relevant threads:
> et seq - but sadly no answers.
> Experimentation with strace et al revealed the problem: the
> tcp-wrappers build I was using would use alarm(2) to time out of the
> ident (RFC931/1413) lookup, but failed to properly use sigsetjmp.  I
> was using (basically) the Debian package (describing itself as version
> `7.6.dbs-8'), which had been patched to use sigsetjmp instead of plain
> setjmp but passed 0 for the 2nd argument.  Changing it to pass 1 made
> it work.
> I have reported this bug to the Debian BTS and they will no doubt be
> passing it upstream more formally eventually, but I thought that since
> this problem is so mysterious I would document at least one possible
> cause in places where the symptoms had been seen already.  See:
> which contains a patch.

This could be introduced by third parties. The tcp wrapper does this:

        if (setjmp(timebuf) == 0) {
            signal(SIGALRM, timeout);
	    ... stuff ...

Thus,  no dangling signal handlers.


More information about the openssh-unix-dev mailing list