diff options
author | Ed Maste <emaste@FreeBSD.org> | 2022-11-14 20:24:54 +0000 |
---|---|---|
committer | Ed Maste <emaste@FreeBSD.org> | 2023-02-06 23:41:10 +0000 |
commit | 77934b7a1301737edcd3518f1af99a387b3068ae (patch) | |
tree | a0e07b756cbf06d55b7d1889f836a73a89f297cb | |
parent | d22c5c42e8ad1ad07a206e0e8d06c53326c12fd4 (diff) | |
download | src-77934b7a1301.tar.gz src-77934b7a1301.zip |
ssh: default X11Forwarding to no, following upstream
Administrators can enable it if required.
Reviewed by: bz, kevans
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D37411
-rw-r--r-- | UPDATING | 5 | ||||
-rw-r--r-- | crypto/openssh/FREEBSD-upgrade | 1 | ||||
-rw-r--r-- | crypto/openssh/servconf.c | 2 | ||||
-rw-r--r-- | crypto/openssh/sshd_config | 2 | ||||
-rw-r--r-- | crypto/openssh/sshd_config.5 | 2 |
5 files changed, 8 insertions, 4 deletions
@@ -27,6 +27,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW: world, or to merely disable the most expensive debugging functionality at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20230206: + sshd now defaults to having X11Forwarding disabled, following upstream. + Administrators who wish to enable X11Forwarding should add + `X11Forwarding yes` to /etc/ssh/sshd_config. + 20230130: As of commit 7c40e2d5f685, the dependency on netlink(4) has been added to the linux_common(4) module. Users relying on linux_common may need diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade index f4be34754af7..5f0e399deb04 100644 --- a/crypto/openssh/FREEBSD-upgrade +++ b/crypto/openssh/FREEBSD-upgrade @@ -113,7 +113,6 @@ - UsePAM defaults to "yes". - PermitRootLogin defaults to "no". - - X11Forwarding defaults to "yes". - PasswordAuthentication defaults to "no". - VersionAddendum defaults to "FreeBSD-YYYYMMDD". - UseDNS defaults to "yes". diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 0bffed7b582e..d3aa1eaea93b 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -331,7 +331,7 @@ fill_default_server_options(ServerOptions *options) if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) - options->x11_forwarding = 1; + options->x11_forwarding = 0; if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 5e7cdbdfe04f..581aa9e73d48 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -88,7 +88,7 @@ AuthorizedKeysFile .ssh/authorized_keys #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding yes +#X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 573b9d84e813..3a25e048889b 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -1932,7 +1932,7 @@ The argument must be or .Cm no . The default is -.Cm yes . +.Cm no . .Pp When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the |