File openssh-7.2p2-X11_trusted_forwarding.patch of Package openssh.29886
From 75a66836d0efe9dad59b0160dd203e4bf8c47cc9 Mon Sep 17 00:00:00 2001 From: Old openssh patches <pcerny@suse.com> Date: Tue, 25 Oct 2022 18:52:50 +0200 Subject: [PATCH] openssh-7.2p2-X11_trusted_forwarding # HG changeset patch # Parent 7197d7a6b7c90566c68e980b5f8b937c183e79d0 # enable trusted X11 forwarding by default in both sshd and sshsystem-wide # configuration # bnc#50836 (was suse #35836) Enable Trusted X11 forwarding by default, since the security benefits of having it disabled are negligible these days with XI2 being widely used. --- ssh_config | 13 ++++++++++++- sshd_config | 2 +- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/ssh_config b/ssh_config index 90fb63f0..e9a769df 100644 --- a/ssh_config +++ b/ssh_config @@ -17,9 +17,20 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. -# Host * +Host * # ForwardAgent no # ForwardX11 no + +# If you do not trust your remote host (or its administrator), you +# should not forward X11 connections to your local X11-display for +# security reasons: Someone stealing the authentification data on the +# remote side (the "spoofed" X-server by the remote sshd) can read your +# keystrokes as you type, just like any other X11 client could do. +# Set this to "no" here for global effect or in your own ~/.ssh/config +# file if you want to have the remote X11 authentification data to +# expire after twenty minutes after remote login. + ForwardX11Trusted yes + # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes diff --git a/sshd_config b/sshd_config index 751d3897..59f3bbb0 100644 --- a/sshd_config +++ b/sshd_config @@ -99,7 +99,7 @@ AuthorizedKeysFile .ssh/authorized_keys #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no +X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes -- 2.38.0
