From nobody Tue Feb 7 00:07:54 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P9k3b0qt4z3nclg; Tue, 7 Feb 2023 00:07:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P9k3b09L0z3CX5; Tue, 7 Feb 2023 00:07:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675728475; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dceNeyGhptxnCZ6RkQ8R7/W5fb3yxDL3VC4Wo0al5sU=; b=Sk80yJquLRfKSSxaeYrQsXlrMKT+cv5Ep5gH/DjRzcNAIWCV0Bxb0Qum0Hgc2YfMSXZ5yn HU4Z7qSfEv8/4ypqh3J/KnwvKpSuYeXYLaja3n0CCM7Tv8+uTdoNpzIesyQurDTa12YfIQ 7hV2eM0JdbV4bz+D/k3y7tLiXt/sOMm4neE2ZYIetjCFKJb1THci+6+c10cZ3qk8voesPC h42Yeslo46WwACEOLQRxZTGmi1yQd96y2BXVabiepDl3NroTIJxoc42nIhwxUaJkWtT0dr LSlu7+Fv+iZ/Cpv/ihedIL0WuUmOQDdWLihrnHjEe4o5sNS+t1o2PHzITwcXrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675728475; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dceNeyGhptxnCZ6RkQ8R7/W5fb3yxDL3VC4Wo0al5sU=; b=exG9NXziIXXMIlPLMsPpH3qRr+DZ57fmWvhhCBvpKoLdkPeCHZfaI7KewfJOo5iZ3Nlox7 SOEq4SIFTRVWCBABHoGet86aT/7PaaXGkTRDdnB4X0lMfujTjR+wX06mBZ50Hv7jrIbezF 2o1oUUuRe1QojYiNuAaZY5NRKmMtZeTJMoCGYG3zOW0XZ32KmwpU+WN78zGaAUL66q+Pui v2GKx6tEfKF8bvFQGkV0mODOW/gw5hsOp9PfDVnt+59umPC6ElyoDnyytIHRz2RjRetMu8 uR7a7qOapM4DRWSByTP34gdnAvOSAYmHaBh2zT46vSGaDwdBD9SAQ2AQECb3sQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1675728475; a=rsa-sha256; cv=none; b=YMSnTCJBqye7B0Upqvbrm10+Yn9uHnZQTnNdNNGi9E/GcWzTYhMX0CSM2WPDVzwrx2p1Ey vqUZZWMwYRdeoO16faXKWXQKrapcAMXzt+BNtoC/llaqRRaS2ShPmB9YZzzuOKXoM02r8Z mCdqqbcYV/qlRhHK6lSyjG/POgV4KWESsYr7uFjPwYg4sj29fZgMmWl+clTyaKiYBivLKn TU/PHb9Hsynr7vO5J6N0OrA16o3V0pV6KC783rTHKuT6/K7n0yPpYeGjbyasqF0znCEx3R YhO0TtPQs4fiJyC1ArCZCuCY3Qs5RmpvceO/6KYKU2JAss2KFgrfc5D+bpsPDA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P9k3Z6LbJzvlD; Tue, 7 Feb 2023 00:07:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31707s9r008585; Tue, 7 Feb 2023 00:07:54 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31707sqe008584; Tue, 7 Feb 2023 00:07:54 GMT (envelope-from git) Date: Tue, 7 Feb 2023 00:07:54 GMT Message-Id: <202302070007.31707sqe008584@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: 77934b7a1301 - main - ssh: default X11Forwarding to no, following upstream List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 77934b7a1301737edcd3518f1af99a387b3068ae Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=77934b7a1301737edcd3518f1af99a387b3068ae commit 77934b7a1301737edcd3518f1af99a387b3068ae Author: Ed Maste AuthorDate: 2022-11-14 20:24:54 +0000 Commit: Ed Maste CommitDate: 2023-02-06 23:41:10 +0000 ssh: default X11Forwarding to no, following upstream Administrators can enable it if required. Reviewed by: bz, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37411 --- UPDATING | 5 +++++ crypto/openssh/FREEBSD-upgrade | 1 - crypto/openssh/servconf.c | 2 +- crypto/openssh/sshd_config | 2 +- crypto/openssh/sshd_config.5 | 2 +- 5 files changed, 8 insertions(+), 4 deletions(-) diff --git a/UPDATING b/UPDATING index 4623d1a5343c..069be7562516 100644 --- a/UPDATING +++ b/UPDATING @@ -27,6 +27,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW: world, or to merely disable the most expensive debugging functionality at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20230206: + sshd now defaults to having X11Forwarding disabled, following upstream. + Administrators who wish to enable X11Forwarding should add + `X11Forwarding yes` to /etc/ssh/sshd_config. + 20230130: As of commit 7c40e2d5f685, the dependency on netlink(4) has been added to the linux_common(4) module. Users relying on linux_common may need diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade index f4be34754af7..5f0e399deb04 100644 --- a/crypto/openssh/FREEBSD-upgrade +++ b/crypto/openssh/FREEBSD-upgrade @@ -113,7 +113,6 @@ - UsePAM defaults to "yes". - PermitRootLogin defaults to "no". - - X11Forwarding defaults to "yes". - PasswordAuthentication defaults to "no". - VersionAddendum defaults to "FreeBSD-YYYYMMDD". - UseDNS defaults to "yes". diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 0bffed7b582e..d3aa1eaea93b 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -331,7 +331,7 @@ fill_default_server_options(ServerOptions *options) if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) - options->x11_forwarding = 1; + options->x11_forwarding = 0; if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 5e7cdbdfe04f..581aa9e73d48 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -88,7 +88,7 @@ AuthorizedKeysFile .ssh/authorized_keys #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding yes +#X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 573b9d84e813..3a25e048889b 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -1932,7 +1932,7 @@ The argument must be or .Cm no . The default is -.Cm yes . +.Cm no . .Pp When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the