* Set X11Forwarding to yes in the default sshd_config (new installs only).

  At least when X11UseLocalhost is turned on, which is the default, the
  security risks of using X11 forwarding are risks to the client, not to
  the server (closes: #320104).

2 files changed, 5 insertions, 1 deletions

diff --git a/debian/changelog b/debian/changelog
index 4f1e2e392..d8e84e46d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,10 @@ openssh (1:4.2p1-1) UNRELEASED; urgency=low
   * debian/rules: Resynchronise CFLAGS with that generated by configure.
   * openssh-client and openssh-server conflict with pre-split ssh to avoid
     problems when ssh is left un-upgraded (closes: #324695).
+  * Set X11Forwarding to yes in the default sshd_config (new installs only).
+    At least when X11UseLocalhost is turned on, which is the default, the
+    security risks of using X11 forwarding are risks to the client, not to
+    the server (closes: #320104).
 
  -- Colin Watson <cjwatson@debian.org>  Wed, 14 Sep 2005 13:35:17 +0100
 
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index ef1412ca7..3bff642a1 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -261,7 +261,7 @@ ChallengeResponseAuthentication no
 # Kerberos TGT Passing does only work with the AFS kaserver
 #KerberosTgtPassing yes
 
-X11Forwarding no
+X11Forwarding yes
 X11DisplayOffset 10
 PrintMotd no
 PrintLastLog yes