openssh/openssh-9.5p1-ROSA-ssh-config.patch

diff -ur openssh-9.5p1/ssh_config openssh-9.5p1_patched/ssh_config
--- openssh-9.5p1/ssh_config	2023-10-04 07:34:10.000000000 +0300
+++ openssh-9.5p1_patched/ssh_config	2023-11-06 13:49:12.197701005 +0300
@@ -19,7 +19,7 @@
 
 # Host *
 #   ForwardAgent no
-#   ForwardX11 no
+ForwardX11 yes
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
@@ -44,3 +44,16 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+ForwardX11Trusted yes
+
+Host *
+    GSSAPIAuthentication yes
+
+# Send locale-related environment variables
+#SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+#SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+#SendEnv LC_IDENTIFICATION LC_ALL
diff -ur openssh-9.5p1/sshd_config openssh-9.5p1_patched/sshd_config
--- openssh-9.5p1/sshd_config	2023-10-04 07:34:10.000000000 +0300
+++ openssh-9.5p1_patched/sshd_config	2023-11-06 13:51:07.128061341 +0300
@@ -3,7 +3,7 @@
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# This sshd was compiled with PATH=_OPENSSH_PATH_
 
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
@@ -15,9 +15,9 @@
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
 
 # Ciphers and keying
 #RekeyLimit default none
@@ -29,6 +29,7 @@
 # Authentication:
 
 #LoginGraceTime 2m
+# [ROSA] Edit /etc/ssh/denyusers and remove 'root' to enable PermitRootLogin
 #PermitRootLogin prohibit-password
 #StrictModes yes
 #MaxAuthTries 6
@@ -79,12 +80,20 @@
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
-#UsePAM no
+# Warning: when running under systemd, and PAM usage is disabled, restarting
+# SSH service will likely kill off any ssh connections, including the
+# current one
+UsePAM yes
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
 
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
@@ -114,3 +123,6 @@
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
+
+# Include additional files if there are any
+Include /etc/ssh/sshd_config.d/*