Index: crypto/openssh/FREEBSD-upgrade
===================================================================
--- crypto/openssh/FREEBSD-upgrade
+++ crypto/openssh/FREEBSD-upgrade
@@ -116,7 +116,6 @@
 
       - UsePAM defaults to "yes".
       - PermitRootLogin defaults to "no".
-      - X11Forwarding defaults to "yes".
       - PasswordAuthentication defaults to "no".
       - VersionAddendum defaults to "FreeBSD-YYYYMMDD".
       - PrivilegeSeparation defaults to "sandbox".
Index: crypto/openssh/servconf.c
===================================================================
--- crypto/openssh/servconf.c
+++ crypto/openssh/servconf.c
@@ -328,7 +328,7 @@
 	if (options->print_lastlog == -1)
 		options->print_lastlog = 1;
 	if (options->x11_forwarding == -1)
-		options->x11_forwarding = 1;
+		options->x11_forwarding = 0;
 	if (options->x11_display_offset == -1)
 		options->x11_display_offset = 10;
 	if (options->x11_use_localhost == -1)
Index: crypto/openssh/sshd_config
===================================================================
--- crypto/openssh/sshd_config
+++ crypto/openssh/sshd_config
@@ -88,7 +88,7 @@
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding yes
+#X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
Index: crypto/openssh/sshd_config.5
===================================================================
--- crypto/openssh/sshd_config.5
+++ crypto/openssh/sshd_config.5
@@ -1834,7 +1834,7 @@
 or
 .Cm no .
 The default is
-.Cm yes .
+.Cm no .
 .Pp
 When X11 forwarding is enabled, there may be additional exposure to
 the server and to client displays if the