# Host *
# ForwardAgent no
# ForwardX11 no
-+# ForwardX11Trusted yes
++# ForwardX11Trusted no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# BatchMode no
# CheckHostIP yes
# AddressFamily any
-@@ -42,3 +45,22 @@
+@@ -42,3 +45,19 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
+
+Host *
+ GSSAPIAuthentication yes
-+ GSSAPIDelegateCredentials no
-+ ForwardAgent no
-+ ForwardX11 no
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.