From 3ce3504956692d5d30d63d5975286319286cfbde Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 10 Mar 2004 01:46:35 +0000
Subject: Turn off the new ForwardX11Trusted by default, returning to the
 semantics of 3.7 and earlier, since it seems immature and causes far too many
 problems with existing setups. See README.Debian for details (closes:
 #237021).

---
 debian/README.Debian | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'debian/README.Debian')

diff --git a/debian/README.Debian b/debian/README.Debian
index cb1444a47..4f076f898 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -115,6 +115,15 @@ As of OpenSSH 3.1, the remote $DISPLAY uses localhost by default to reduce
 the security risks of X11 forwarding. Look up X11UseLocalhost in
 sshd_config(8) if this is a problem.
 
+OpenSSH 3.8 invented ForwardX11Trusted, which when set to no causes the
+ssh client to create an untrusted X cookie so that attacks on the
+forwarded X11 connection can't become attacks on X clients on the remote
+machine. However, this has some problems in implementation - notably a
+very short timeout of the untrusted cookie - breaks large numbers of
+existing setups, and generally seems immature. The Debian package
+therefore sets the default for this option to "no" (in ssh itself,
+rather than in ssh_config).
+
 Fallback to RSH
 ---------------
 
-- 
cgit v1.2.3