Hey, it looks like in sshkey_save_public() the same fd will be closed twice if the first fclose() returns something other than 0.
The patch below should make sure everything only gets closed once. I moved the close() call and refactored a bit to improve readability. Index: authfile.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/authfile.c,v retrieving revision 1.142 diff -u -p -r1.142 authfile.c --- authfile.c 1 Jan 2022 01:55:30 -0000 1.142 +++ authfile.c 10 May 2022 21:38:29 -0000 @@ -496,20 +496,25 @@ sshkey_save_public(const struct sshkey * return SSH_ERR_SYSTEM_ERROR; if ((f = fdopen(fd, "w")) == NULL) { r = SSH_ERR_SYSTEM_ERROR; + close(fd); goto fail; } if ((r = sshkey_write(key, f)) != 0) goto fail; fprintf(f, " %s\n", comment); - if (ferror(f) || fclose(f) != 0) { + if (ferror(f)) { r = SSH_ERR_SYSTEM_ERROR; + goto fail; + } + if (fclose(f) != 0) { + r = SSH_ERR_SYSTEM_ERROR; + f = NULL; fail: - oerrno = errno; - if (f != NULL) + if (f != NULL) { + oerrno = errno; fclose(f); - else - close(fd); - errno = oerrno; + errno = oerrno; + } return r; } return 0;