I agree and I'm surprised OpenSSH developpers did not remove the use of SIGALRM and replace it by select/poll timer and explicitly managed future event list. Likely more portable and safe by default from this class of bugs that has bitten ssh code more than one time now...

Defensive programming tells us to minize code in signal handlers and the safest is to avoid using the signal at all when possible :).