diff --git a/openssh-9.4p2-limit-delay.patch b/openssh-9.4p2-limit-delay.patch
new file mode 100644
index 0000000..009fcc7
--- /dev/null
+++ b/openssh-9.4p2-limit-delay.patch
@@ -0,0 +1,33 @@
+diff -u -p -r1.166 auth2.c
+--- a/auth2.c	8 Mar 2023 04:43:12 -0000	1.166
++++ b/auth2.c	28 Aug 2023 08:32:44 -0000
+@@ -208,6 +208,7 @@ input_service_request(int type, u_int32_
+ }
+ 
+ #define MIN_FAIL_DELAY_SECONDS 0.005
++#define MAX_FAIL_DELAY_SECONDS 5.0
+ static double
+ user_specific_delay(const char *user)
+ {
+@@ -233,6 +234,12 @@ ensure_minimum_time_since(double start, 
+ 	struct timespec ts;
+ 	double elapsed = monotime_double() - start, req = seconds, remain;
+ 
++	if (elapsed > MAX_FAIL_DELAY_SECONDS) {
++		debug3("elapsed %0.3lfms exceeded the max delay "
++		    "requested %0.3lfms)", elapsed*1000, req*1000);
++		return;
++	}
++
+ 	/* if we've already passed the requested time, scale up */
+ 	while ((remain = seconds - elapsed) < 0.0)
+ 		seconds *= 2;
+@@ -317,7 +324,7 @@ input_userauth_request(int type, u_int32
+ 		debug2("input_userauth_request: try method %s", method);
+ 		authenticated =	m->userauth(ssh);
+ 	}
+-	if (!authctxt->authenticated)
++	if (!authctxt->authenticated && strcmp(method, "none") != 0)
+ 		ensure_minimum_time_since(tstart,
+ 		    user_specific_delay(authctxt->user));
+ 	userauth_finish(ssh, authenticated, method, NULL);
diff --git a/openssh.spec b/openssh.spec
index 9d6ac2e..119998a 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -66,7 +66,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.0p1
-%global openssh_rel 19
+%global openssh_rel 20
 %global pam_ssh_agent_ver 0.10.3
 %global pam_ssh_agent_rel 7
 
@@ -280,6 +280,8 @@ Patch987: openssh-8.0p1-ipv6-process.patch
 # upsream commit
 # b23fe83f06ee7e721033769cfa03ae840476d280
 Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
+#upstream commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec
+Patch1017: openssh-9.4p2-limit-delay.patch
 
 License: BSD
 Group: Applications/Internet
@@ -521,6 +523,7 @@ popd
 %patch100 -p1 -b .coverity
 
 %patch1015 -p1 -b .cve-2023-38408
+%patch1017 -p1 -b .limitdelay
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -806,6 +809,10 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Mon Oct 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-20
+- Limit artificial delays in sshd while login using AD user
+  Resolves: RHEL-1684
+
 * Thu Aug 24 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.0p1-19
 - rebuilt
   Related: CVE-2023-38408