From: Tomasz Pala <gotar@pld-linux.org>
Date: Tue, 23 Aug 2016 05:59:32 +0000 (+0200)
Subject: do not lower ssh client security by default
X-Git-Tag: auto/th/openssh-7.3p1-2~1
X-Git-Url: http://git.pld-linux.org/gitweb.cgi?a=commitdiff_plain;h=ae957f1bc3196e53edce28c17e1f35232638e733;p=packages%2Fopenssh.git

do not lower ssh client security by default

ForwardX11Trusted might be enabled on command line by using -Y instead
of -X, so there's no real need for doing it system-wide(!) default.
Moreover, the rationale behind trusting remote party might be obsolete:
http://dailypackage.fedorabook.com/index.php?/archives/48-Wednesday-Why-Trusted-and-Untrusted-X11-Forwarding-with-SSH.html
Either way, trusting some potentially malicious (especially without
StrictHostKeyChecking) )remote side MUST be conscious decision.
---

diff --git a/openssh-config.patch b/openssh-config.patch
index 4d35a03..4bc53c3 100644
--- a/openssh-config.patch
+++ b/openssh-config.patch
@@ -81,7 +81,7 @@
  #   BatchMode no
  #   CheckHostIP yes
  #   AddressFamily any
-@@ -42,3 +45,19 @@
+@@ -42,3 +45,18 @@
  #   VisualHostKey no
  #   ProxyCommand ssh -q -W %h:%p gateway.example.com
  #   RekeyLimit 1G 1h
@@ -89,10 +89,9 @@
 +Host *
 +	GSSAPIAuthentication yes
 +# If this option is set to yes then remote X11 clients will have full access
-+# to the original X11 display. As virtually no X11 client supports the untrusted
-+# mode correctly we set this to yes.
-+	ForwardX11Trusted yes
-+	StrictHostKeyChecking no
++# to the original X11 server. As some X11 clients don't support the untrusted
++# mode correctly, you might consider changing this to 'yes' or using '-Y'.
++#	ForwardX11Trusted no
 +	ServerAliveInterval 60
 +	ServerAliveCountMax 10
 +	TCPKeepAlive no