5 files changed, 71 insertions, 3 deletions
diff --git a/readconf.c b/readconf.c
index c0ba5a72c..e4e1cbae3 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1749,7 +1749,7 @@ fill_default_options(Options * options)
        if (options->forward_x11 == -1)
                options->forward_x11 = 0;
        if (options->forward_x11_trusted == -1)
-                options->forward_x11_trusted = 0;
+                options->forward_x11_trusted = 1;
        if (options->forward_x11_timeout == -1)
                options->forward_x11_timeout = 1200;
        if (options->exit_on_forward_failure == -1)
diff --git a/ssh.1 b/ssh.1
index 05b7f107b..649d6c303 100644
--- a/ssh.1
+++ b/ssh.1
@@ -755,6 +755,16 @@ directive in
 .Xr ssh_config 5
 for more information.
 .Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl x
 Disables X11 forwarding.
 .Pp
@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
 Trusted X11 forwardings are not subjected to the X11 SECURITY extension
 controls.
 .Pp
+(Debian-specific: This option does nothing in the default configuration: it
+is equivalent to
+.Dq Cm ForwardX11Trusted No yes ,
+which is the default as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
 .It Fl y
 Send log information using the
 .Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 228e5abce..c9386aadd 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,10 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
-# Host *
+Host *
 #   ForwardAgent no
 #   ForwardX11 no
+#   ForwardX11Trusted yes
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
@@ -48,3 +49,7 @@
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+    SendEnv LANG LC_*
+    HashKnownHosts yes
+    GSSAPIAuthentication yes
+    GSSAPIDelegateCredentials no
diff --git a/ssh_config.5 b/ssh_config.5
index 5bc04b0b7..aaa435a9d 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
 host-specific declarations should be given near the beginning of the
 file, and general defaults at the end.
 .Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
 The configuration file has the following format:
 .Pp
 Empty lines and lines starting with
@@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes.
 Remote clients will be refused access after this time.
 .Pp
 The default is
-.Dq no .
+.Dq yes
+(Debian-specific).
 .Pp
 See the X11 SECURITY extension specification for full details on
 the restrictions imposed on untrusted clients.
diff --git a/sshd_config.5 b/sshd_config.5
index 7e40a271f..92c23bc46 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
 .Pq \&"
 in order to represent arguments containing spaces.
 .Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
 The possible
 keywords and their meanings are as follows (note that
 keywords are case-insensitive and arguments are case-sensitive):

diff --git a/readconf.c b/readconf.c index c0ba5a72c..e4e1cbae3 100644 --- a/readconf.c +++ b/readconf.c
@@ -1749,7 +1749,7 @@ fill_default_options(Options * options)
1749	if (options->forward_x11 == -1)	1749	if (options->forward_x11 == -1)
1750	options->forward_x11 = 0;	1750	options->forward_x11 = 0;
1751	if (options->forward_x11_trusted == -1)	1751	if (options->forward_x11_trusted == -1)
1752	options->forward_x11_trusted = 0;	1752	options->forward_x11_trusted = 1;
1753	if (options->forward_x11_timeout == -1)	1753	if (options->forward_x11_timeout == -1)
1754	options->forward_x11_timeout = 1200;	1754	options->forward_x11_timeout = 1200;
1755	if (options->exit_on_forward_failure == -1)	1755	if (options->exit_on_forward_failure == -1)


diff --git a/ssh.1 b/ssh.1 index 05b7f107b..649d6c303 100644 --- a/ssh.1 +++ b/ssh.1
@@ -755,6 +755,16 @@ directive in
755	.Xr ssh_config 5	755	.Xr ssh_config 5
756	for more information.	756	for more information.
757	.Pp	757	.Pp
		758	(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
		759	restrictions by default, because too many programs currently crash in this
		760	mode.
		761	Set the
		762	.Cm ForwardX11Trusted
		763	option to
		764	.Dq no
		765	to restore the upstream behaviour.
		766	This may change in future depending on client-side improvements.)
		767	.Pp
758	.It Fl x	768	.It Fl x
759	Disables X11 forwarding.	769	Disables X11 forwarding.
760	.Pp	770	.Pp
@@ -763,6 +773,17 @@ Enables trusted X11 forwarding.
763	Trusted X11 forwardings are not subjected to the X11 SECURITY extension	773	Trusted X11 forwardings are not subjected to the X11 SECURITY extension
764	controls.	774	controls.
765	.Pp	775	.Pp
		776	(Debian-specific: This option does nothing in the default configuration: it
		777	is equivalent to
		778	.Dq Cm ForwardX11Trusted No yes ,
		779	which is the default as described above.
		780	Set the
		781	.Cm ForwardX11Trusted
		782	option to
		783	.Dq no
		784	to restore the upstream behaviour.
		785	This may change in future depending on client-side improvements.)
		786	.Pp
766	.It Fl y	787	.It Fl y
767	Send log information using the	788	Send log information using the
768	.Xr syslog 3	789	.Xr syslog 3


diff --git a/ssh_config b/ssh_config index 228e5abce..c9386aadd 100644 --- a/ssh_config +++ b/ssh_config
@@ -17,9 +17,10 @@
17	# list of available options, their meanings and defaults, please see the	17	# list of available options, their meanings and defaults, please see the
18	# ssh_config(5) man page.	18	# ssh_config(5) man page.
19		19
20	# Host *	20	Host *
21	# ForwardAgent no	21	# ForwardAgent no
22	# ForwardX11 no	22	# ForwardX11 no
		23	# ForwardX11Trusted yes
23	# RhostsRSAAuthentication no	24	# RhostsRSAAuthentication no
24	# RSAAuthentication yes	25	# RSAAuthentication yes
25	# PasswordAuthentication yes	26	# PasswordAuthentication yes
@@ -48,3 +49,7 @@
48	# VisualHostKey no	49	# VisualHostKey no
49	# ProxyCommand ssh -q -W %h:%p gateway.example.com	50	# ProxyCommand ssh -q -W %h:%p gateway.example.com
50	# RekeyLimit 1G 1h	51	# RekeyLimit 1G 1h
		52	SendEnv LANG LC_*
		53	HashKnownHosts yes
		54	GSSAPIAuthentication yes
		55	GSSAPIDelegateCredentials no


diff --git a/ssh_config.5 b/ssh_config.5 index 5bc04b0b7..aaa435a9d 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more
74	host-specific declarations should be given near the beginning of the	74	host-specific declarations should be given near the beginning of the
75	file, and general defaults at the end.	75	file, and general defaults at the end.
76	.Pp	76	.Pp
		77	Note that the Debian
		78	.Ic openssh-client
		79	package sets several options as standard in
		80	.Pa /etc/ssh/ssh_config
		81	which are not the default in
		82	.Xr ssh 1 :
		83	.Pp
		84	.Bl -bullet -offset indent -compact
		85	.It
		86	.Cm SendEnv No LANG LC_*
		87	.It
		88	.Cm HashKnownHosts No yes
		89	.It
		90	.Cm GSSAPIAuthentication No yes
		91	.El
		92	.Pp
77	The configuration file has the following format:	93	The configuration file has the following format:
78	.Pp	94	.Pp
79	Empty lines and lines starting with	95	Empty lines and lines starting with
@@ -721,7 +737,8 @@ token used for the session will be set to expire after 20 minutes.
721	Remote clients will be refused access after this time.	737	Remote clients will be refused access after this time.
722	.Pp	738	.Pp
723	The default is	739	The default is
724	.Dq no .	740	.Dq yes
		741	(Debian-specific).
725	.Pp	742	.Pp
726	See the X11 SECURITY extension specification for full details on	743	See the X11 SECURITY extension specification for full details on
727	the restrictions imposed on untrusted clients.	744	the restrictions imposed on untrusted clients.


diff --git a/sshd_config.5 b/sshd_config.5 index 7e40a271f..92c23bc46 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
57	.Pq \&"	57	.Pq \&"
58	in order to represent arguments containing spaces.	58	in order to represent arguments containing spaces.
59	.Pp	59	.Pp
		60	Note that the Debian
		61	.Ic openssh-server
		62	package sets several options as standard in
		63	.Pa /etc/ssh/sshd_config
		64	which are not the default in
		65	.Xr sshd 8 .
		66	The exact list depends on whether the package was installed fresh or
		67	upgraded from various possible previous versions, but includes at least the
		68	following:
		69	.Pp
		70	.Bl -bullet -offset indent -compact
		71	.It
		72	.Cm ChallengeResponseAuthentication No no
		73	.It
		74	.Cm X11Forwarding No yes
		75	.It
		76	.Cm PrintMotd No no
		77	.It
		78	.Cm AcceptEnv No LANG LC_*
		79	.It
		80	.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
		81	.It
		82	.Cm UsePAM No yes
		83	.El
		84	.Pp
60	The possible	85	The possible
61	keywords and their meanings are as follows (note that	86	keywords and their meanings are as follows (note that
62	keywords are case-insensitive and arguments are case-sensitive):	87	keywords are case-insensitive and arguments are case-sensitive):