ssh(1): Explain that -Y is equivalent to -X

Closes: #951640

12 files changed, 32 insertions, 24 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index 824b73ce4..07406955d 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-489e04f2c23327dd95981327d8757144a4e574af
-489e04f2c23327dd95981327d8757144a4e574af
+2e128b223e8e73ace57a0726130bfbcf920d0f9e
+2e128b223e8e73ace57a0726130bfbcf920d0f9e
 4213eec74e74de6310c27a40c3e9759a08a73996
 4213eec74e74de6310c27a40c3e9759a08a73996
 openssh_8.1p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 13534dddb..fd967a966 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ openssh (1:8.1p1-6) UNRELEASED; urgency=medium
 
   * Add more historical md5sums of /etc/ssh/sshd_config between 1:7.4p1-1
     and 1:7.7p1-4 inclusive (closes: #951220).
+  * ssh(1): Explain that -Y is equivalent to -X in the default configuration
+    (closes: #951640).
 
  -- Colin Watson <cjwatson@debian.org>  Fri, 14 Feb 2020 18:43:44 +0000
 
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch
index e018ac639..ce7dc266e 100644
--- a/debian/patches/conch-old-privkey-format.patch
+++ b/debian/patches/conch-old-privkey-format.patch
@@ -1,4 +1,4 @@
-From bbce4380e516e8bfed1ae09af0bc3661e427794a Mon Sep 17 00:00:00 2001
+From 2e889a135439e6234502c813fa0ef2eb1fcd733c Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Thu, 30 Aug 2018 00:58:56 +0100
 Subject: Work around conch interoperability failure
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index fe1e3f550..acb4e3ce9 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 7abde40896668ce9debfe056c7dabc6a70ef7da4 Mon Sep 17 00:00:00 2001
+From 9a713cd4bbaef5ad4f1d28c1718fb6960ac257b3 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -26,17 +26,17 @@ Document all of this.
 
 Author: Russ Allbery <rra@debian.org>
 Forwarded: not-needed
-Last-Update: 2017-10-04
+Last-Update: 2020-02-19
 
 Patch-Name: debian-config.patch
 ---
  readconf.c    |  2 +-
- ssh.1         | 21 +++++++++++++++++++++
+ ssh.1         | 24 ++++++++++++++++++++++++
  ssh_config    |  6 +++++-
  ssh_config.5  | 19 ++++++++++++++++++-
  sshd_config   | 16 ++++++++++------
  sshd_config.5 | 22 ++++++++++++++++++++++
- 6 files changed, 77 insertions(+), 9 deletions(-)
+ 6 files changed, 80 insertions(+), 9 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
 index 16d2729dd..253574ce0 100644
@@ -52,7 +52,7 @@ index 16d2729dd..253574ce0 100644
                 options->forward_x11_timeout = 1200;
         /*
 diff --git a/ssh.1 b/ssh.1
-index 24530e511..fd495da2c 100644
+index 24530e511..44a00d525 100644
 --- a/ssh.1
 +++ b/ssh.1
 @@ -795,6 +795,16 @@ directive in
@@ -72,14 +72,17 @@ index 24530e511..fd495da2c 100644
  .It Fl x
  Disables X11 forwarding.
  .Pp
-@@ -803,6 +813,17 @@ Enables trusted X11 forwarding.
+@@ -803,6 +813,20 @@ Enables trusted X11 forwarding.
  Trusted X11 forwardings are not subjected to the X11 SECURITY extension
  controls.
  .Pp
-+(Debian-specific: This option does nothing in the default configuration: it
-+is equivalent to
-+.Dq Cm ForwardX11Trusted No yes ,
-+which is the default as described above.
++(Debian-specific: In the default configuration, this option is equivalent to
++.Fl X ,
++since
++.Cm ForwardX11Trusted
++defaults to
++.Dq yes
++as described above.
 +Set the
 +.Cm ForwardX11Trusted
 +option to
diff --git a/debian/patches/regress-2020.patch b/debian/patches/regress-2020.patch
index b46e0df31..785945d33 100644
--- a/debian/patches/regress-2020.patch
+++ b/debian/patches/regress-2020.patch
@@ -1,4 +1,4 @@
-From df3ad29af495185aa9b051028ae94b965a4b1659 Mon Sep 17 00:00:00 2001
+From 7ee24da2b84bf463dd5e8611479fa7a5acaa40e4 Mon Sep 17 00:00:00 2001
 From: "djm@openbsd.org" <djm@openbsd.org>
 Date: Fri, 3 Jan 2020 03:02:26 +0000
 Subject: upstream: what bozo decided to use 2020 as a future date in a regress
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index ea5ea0396..15102b004 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
-From f0c916d8008c30809fef44469bee1b74426a3071 Mon Sep 17 00:00:00 2001
+From 5c1ed7182e928fcf03d11c1bcc51c26c2c42629d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 5 Mar 2017 02:02:11 +0000
 Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index 7fdfe246c..37a1fec98 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
-From cfa01c635debb10e05f5ac34d269809c77c582dc Mon Sep 17 00:00:00 2001
+From 08ef8cb952462442660914b42de3f84f31ec1a6d Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Mon, 8 Apr 2019 10:46:29 +0100
 Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
diff --git a/debian/patches/sandbox-seccomp-clock_gettime64.patch b/debian/patches/sandbox-seccomp-clock_gettime64.patch
index ad0d647a2..d3e0bc40c 100644
--- a/debian/patches/sandbox-seccomp-clock_gettime64.patch
+++ b/debian/patches/sandbox-seccomp-clock_gettime64.patch
@@ -1,4 +1,4 @@
-From 93e9440bae1818746e0cc7f2543001db9d0ea1ea Mon Sep 17 00:00:00 2001
+From ba675f490d681365db5a4e4ea6419e8690da6f30 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Tue, 7 Jan 2020 16:26:45 -0800
 Subject: seccomp: Allow clock_gettime64() in sandbox.
diff --git a/debian/patches/sandbox-seccomp-clock_nanosleep.patch b/debian/patches/sandbox-seccomp-clock_nanosleep.patch
index ccf9d0b09..2023717b9 100644
--- a/debian/patches/sandbox-seccomp-clock_nanosleep.patch
+++ b/debian/patches/sandbox-seccomp-clock_nanosleep.patch
@@ -1,4 +1,4 @@
-From c80d266f4aed7224261b192b8e31ac87dc070cba Mon Sep 17 00:00:00 2001
+From cb38e55b8af8756b2d6d6f6a1c1a5f949e15b980 Mon Sep 17 00:00:00 2001
 From: Darren Tucker <dtucker@dtucker.net>
 Date: Wed, 13 Nov 2019 23:19:35 +1100
 Subject: seccomp: Allow clock_nanosleep() in sandbox.
diff --git a/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch b/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch
index 8825d569d..b8d7ad569 100644
--- a/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch
+++ b/debian/patches/sandbox-seccomp-clock_nanosleep_time64.patch
@@ -1,4 +1,4 @@
-From c80c5e338c19964755f277b54b390016f5c829a4 Mon Sep 17 00:00:00 2001
+From f0cfb9ad4b83693731505c945c0685de64483c8d Mon Sep 17 00:00:00 2001
 From: Darren Tucker <dtucker@dtucker.net>
 Date: Mon, 16 Dec 2019 13:55:56 +1100
 Subject: Allow clock_nanosleep_time64 in seccomp sandbox.
diff --git a/debian/patches/sandbox-seccomp-ipc.patch b/debian/patches/sandbox-seccomp-ipc.patch
index cbeb6613d..c84290726 100644
--- a/debian/patches/sandbox-seccomp-ipc.patch
+++ b/debian/patches/sandbox-seccomp-ipc.patch
@@ -1,4 +1,4 @@
-From 489e04f2c23327dd95981327d8757144a4e574af Mon Sep 17 00:00:00 2001
+From 2e128b223e8e73ace57a0726130bfbcf920d0f9e Mon Sep 17 00:00:00 2001
 From: Jeremy Drake <github@jdrake.com>
 Date: Fri, 11 Oct 2019 18:31:05 -0700
 Subject: Deny (non-fatal) ipc in preauth privsep child.
diff --git a/ssh.1 b/ssh.1
index fd495da2c..44a00d525 100644
--- a/ssh.1
+++ b/ssh.1
@@ -813,10 +813,13 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
-(Debian-specific: This option does nothing in the default configuration: it
-is equivalent to
-.Dq Cm ForwardX11Trusted No yes ,
-which is the default as described above.
+(Debian-specific: In the default configuration, this option is equivalent to
+.Fl X ,
+since
+.Cm ForwardX11Trusted
+defaults to
+.Dq yes
+as described above.
 Set the
 .Cm ForwardX11Trusted
 option to