Index: sshd-session.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd-session.c,v
diff -u -p -r1.4 sshd-session.c
--- sshd-session.c	26 Jun 2024 23:16:52 -0000	1.4
+++ sshd-session.c	2 Jul 2024 02:10:09 -0000
@@ -813,6 +813,7 @@ main(int ac, char **av)
 	struct connection_info *connection_info = NULL;
 	sigset_t sigmask;
 	uint64_t timing_secret = 0;
+	struct itimerval itv;
 
 	sigemptyset(&sigmask);
 	sigprocmask(SIG_SETMASK, &sigmask, NULL);
@@ -1176,8 +1177,17 @@ main(int ac, char **av)
 	 * are about to discover the bug.
 	 */
 	ssh_signal(SIGALRM, grace_alarm_handler);
-	if (!debug_flag)
-		alarm(options.login_grace_time);
+	if (!debug_flag && options.login_grace_time > 0) {
+		int ujitter = arc4random_uniform(4 * 1000000);
+
+		timerclear(&itv.it_interval);
+		itv.it_value.tv_sec = options.login_grace_time;
+		itv.it_value.tv_sec += ujitter / 1000000;
+		itv.it_value.tv_usec = ujitter % 1000000; 
+
+		if (setitimer(ITIMER_REAL, &itv, NULL) == -1)
+			fatal("login grace time setitimer failed");
+	}
 
 	if ((r = kex_exchange_identification(ssh, -1,
 	    options.version_addendum)) != 0)
@@ -1221,7 +1231,10 @@ main(int ac, char **av)
 	 * Cancel the alarm we set to limit the time taken for
 	 * authentication.
 	 */
-	alarm(0);
+	timerclear(&itv.it_interval);
+	timerclear(&itv.it_value);
+	if (setitimer(ITIMER_REAL, &itv, NULL) == -1)
+		fatal("login grace time clear failed");
 	ssh_signal(SIGALRM, SIG_DFL);
 	authctxt->authenticated = 1;
 	if (startup_pipe != -1) {