Date: Tue, 7 Feb 2023 00:07:54 GMT From: Ed Maste <emaste@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 77934b7a1301 - main - ssh: default X11Forwarding to no, following upstream Message-ID: <202302070007.31707sqe008584@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=77934b7a1301737edcd3518f1af99a387b3068ae commit 77934b7a1301737edcd3518f1af99a387b3068ae Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-11-14 20:24:54 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-02-06 23:41:10 +0000 ssh: default X11Forwarding to no, following upstream Administrators can enable it if required. Reviewed by: bz, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37411 --- UPDATING | 5 +++++ crypto/openssh/FREEBSD-upgrade | 1 - crypto/openssh/servconf.c | 2 +- crypto/openssh/sshd_config | 2 +- crypto/openssh/sshd_config.5 | 2 +- 5 files changed, 8 insertions(+), 4 deletions(-) diff --git a/UPDATING b/UPDATING index 4623d1a5343c..069be7562516 100644 --- a/UPDATING +++ b/UPDATING @@ -27,6 +27,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW: world, or to merely disable the most expensive debugging functionality at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20230206: + sshd now defaults to having X11Forwarding disabled, following upstream. + Administrators who wish to enable X11Forwarding should add + `X11Forwarding yes` to /etc/ssh/sshd_config. + 20230130: As of commit 7c40e2d5f685, the dependency on netlink(4) has been added to the linux_common(4) module. Users relying on linux_common may need diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade index f4be34754af7..5f0e399deb04 100644 --- a/crypto/openssh/FREEBSD-upgrade +++ b/crypto/openssh/FREEBSD-upgrade @@ -113,7 +113,6 @@ - UsePAM defaults to "yes". - PermitRootLogin defaults to "no". - - X11Forwarding defaults to "yes". - PasswordAuthentication defaults to "no". - VersionAddendum defaults to "FreeBSD-YYYYMMDD". - UseDNS defaults to "yes". diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 0bffed7b582e..d3aa1eaea93b 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -331,7 +331,7 @@ fill_default_server_options(ServerOptions *options) if (options->print_lastlog == -1) options->print_lastlog = 1; if (options->x11_forwarding == -1) - options->x11_forwarding = 1; + options->x11_forwarding = 0; if (options->x11_display_offset == -1) options->x11_display_offset = 10; if (options->x11_use_localhost == -1) diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 5e7cdbdfe04f..581aa9e73d48 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -88,7 +88,7 @@ AuthorizedKeysFile .ssh/authorized_keys #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding yes +#X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 573b9d84e813..3a25e048889b 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -1932,7 +1932,7 @@ The argument must be or .Cm no . The default is -.Cm yes . +.Cm no . .Pp When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302070007.31707sqe008584>