aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEd Maste <emaste@FreeBSD.org>2022-11-14 20:24:54 +0000
committerEd Maste <emaste@FreeBSD.org>2023-02-06 23:41:10 +0000
commit77934b7a1301737edcd3518f1af99a387b3068ae (patch)
treea0e07b756cbf06d55b7d1889f836a73a89f297cb
parentd22c5c42e8ad1ad07a206e0e8d06c53326c12fd4 (diff)
downloadsrc-77934b7a1301.tar.gz
src-77934b7a1301.zip
ssh: default X11Forwarding to no, following upstream
Administrators can enable it if required. Reviewed by: bz, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37411
-rw-r--r--UPDATING5
-rw-r--r--crypto/openssh/FREEBSD-upgrade1
-rw-r--r--crypto/openssh/servconf.c2
-rw-r--r--crypto/openssh/sshd_config2
-rw-r--r--crypto/openssh/sshd_config.52
5 files changed, 8 insertions, 4 deletions
diff --git a/UPDATING b/UPDATING
index 4623d1a5343c..069be7562516 100644
--- a/UPDATING
+++ b/UPDATING
@@ -27,6 +27,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW:
world, or to merely disable the most expensive debugging functionality
at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
+20230206:
+ sshd now defaults to having X11Forwarding disabled, following upstream.
+ Administrators who wish to enable X11Forwarding should add
+ `X11Forwarding yes` to /etc/ssh/sshd_config.
+
20230130:
As of commit 7c40e2d5f685, the dependency on netlink(4) has been added
to the linux_common(4) module. Users relying on linux_common may need
diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade
index f4be34754af7..5f0e399deb04 100644
--- a/crypto/openssh/FREEBSD-upgrade
+++ b/crypto/openssh/FREEBSD-upgrade
@@ -113,7 +113,6 @@
- UsePAM defaults to "yes".
- PermitRootLogin defaults to "no".
- - X11Forwarding defaults to "yes".
- PasswordAuthentication defaults to "no".
- VersionAddendum defaults to "FreeBSD-YYYYMMDD".
- UseDNS defaults to "yes".
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index 0bffed7b582e..d3aa1eaea93b 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -331,7 +331,7 @@ fill_default_server_options(ServerOptions *options)
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
- options->x11_forwarding = 1;
+ options->x11_forwarding = 0;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index 5e7cdbdfe04f..581aa9e73d48 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -88,7 +88,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding yes
+#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index 573b9d84e813..3a25e048889b 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -1932,7 +1932,7 @@ The argument must be
or
.Cm no .
The default is
-.Cm yes .
+.Cm no .
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the