do not lower ssh client security by default

ForwardX11Trusted might be enabled on command line by using -Y instead
of -X, so there's no real need for doing it system-wide(!) default.
Moreover, the rationale behind trusting remote party might be obsolete:
http://dailypackage.fedorabook.com/index.php?/archives/48-Wednesday-Why-Trusted-and-Untrusted-X11-Forwarding-with-SSH.html
Either way, trusting some potentially malicious (especially without
StrictHostKeyChecking) )remote side MUST be conscious decision.

diff --git a/openssh-config.patch b/openssh-config.patch
index 4d35a03ba42f6527a30f612b97d61282d652986b..4bc53c37c2f0b2f02de01beed8f9fb503a63241a 100644 (file)
--- a/openssh-config.patch
+++ b/openssh-config.patch
@@ -81,7 +81,7 @@
  #   BatchMode no
  #   CheckHostIP yes
  #   AddressFamily any
-@@ -42,3 +45,19 @@
+@@ -42,3 +45,18 @@
  #   VisualHostKey no
  #   ProxyCommand ssh -q -W %h:%p gateway.example.com
  #   RekeyLimit 1G 1h
@@ -89,10 +89,9 @@
 +Host *
 +      GSSAPIAuthentication yes
 +# If this option is set to yes then remote X11 clients will have full access
-+# to the original X11 display. As virtually no X11 client supports the untrusted
-+# mode correctly we set this to yes.
-+      ForwardX11Trusted yes
-+      StrictHostKeyChecking no
++# to the original X11 server. As some X11 clients don't support the untrusted
++# mode correctly, you might consider changing this to 'yes' or using '-Y'.
++#     ForwardX11Trusted no
 +      ServerAliveInterval 60
 +      ServerAliveCountMax 10
 +      TCPKeepAlive no