ssh: default X11Forwarding to no, following upstream

Administrators can enable it if required.

Reviewed by:	bz, kevans
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D37411

UPDATING

@@ -27,6 +27,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW:
 	world, or to merely disable the most expensive debugging functionality
 	at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+20230206:
+	sshd now defaults to having X11Forwarding disabled, following upstream.
+	Administrators who wish to enable X11Forwarding should add
+	`X11Forwarding yes` to /etc/ssh/sshd_config.
+
 20230130:
 	As of commit 7c40e2d5f685, the dependency on netlink(4) has been added
 	to the linux_common(4) module. Users relying on linux_common may need

crypto/openssh/FREEBSD-upgrade

@@ -113,7 +113,6 @@
 
       - UsePAM defaults to "yes".
       - PermitRootLogin defaults to "no".
-      - X11Forwarding defaults to "yes".
       - PasswordAuthentication defaults to "no".
       - VersionAddendum defaults to "FreeBSD-YYYYMMDD".
       - UseDNS defaults to "yes".

crypto/openssh/servconf.c

@@ -331,7 +331,7 @@ fill_default_server_options(ServerOptions *options)
 	if (options->print_lastlog == -1)
 		options->print_lastlog = 1;
 	if (options->x11_forwarding == -1)
-		options->x11_forwarding = 1;
+		options->x11_forwarding = 0;
 	if (options->x11_display_offset == -1)
 		options->x11_display_offset = 10;
 	if (options->x11_use_localhost == -1)

crypto/openssh/sshd_config

@@ -88,7 +88,7 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding yes
+#X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes

crypto/openssh/sshd_config.5

@@ -1932,7 +1932,7 @@ The argument must be
 or
 .Cm no .
 The default is
-.Cm yes .
+.Cm no .
 .Pp
 When X11 forwarding is enabled, there may be additional exposure to
 the server and to client displays if the