File openssh-7.6p1-X11_trusted_forwarding.patch of Package openssh.10835

# HG changeset patch
# Parent  c004421528bc443fa9a56db1123005c92014e6b3
# enable trusted X11 forwarding by default in both sshd and sshsystem-wide
# configuration
# bnc#50836 (was suse #35836)
Enable Trusted X11 forwarding by default, since the security benefits of
having it disabled are negligible these days with XI2 being widely used.

Index: openssh-7.6p1/ssh_config
===================================================================
--- openssh-7.6p1.orig/ssh_config	2019-03-12 14:34:00.787393202 +0100
+++ openssh-7.6p1/ssh_config	2019-03-12 14:34:14.191467868 +0100
@@ -17,9 +17,20 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
 
-# Host *
+Host *
 #   ForwardAgent no
 #   ForwardX11 no
+
+# If you do not trust your remote host (or its administrator), you
+# should not forward X11 connections to your local X11-display for
+# security reasons: Someone stealing the authentification data on the
+# remote side (the "spoofed" X-server by the remote sshd) can read your
+# keystrokes as you type, just like any other X11 client could do.
+# Set this to "no" here for global effect or in your own ~/.ssh/config
+# file if you want to have the remote X11 authentification data to 
+# expire after twenty minutes after remote login.
+    ForwardX11Trusted yes
+
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
Index: openssh-7.6p1/sshd_config
===================================================================
--- openssh-7.6p1.orig/sshd_config	2019-03-12 14:34:04.255412520 +0100
+++ openssh-7.6p1/sshd_config	2019-03-12 14:34:14.191467868 +0100
@@ -85,7 +85,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes