untrusted comment: verify with openbsd-75-base.pub
RWRGj1pRpprAfhXtxWkPg5QGkFKLuuHUoYgjG+1iMb1Jnbm3/ZNDxlGNnvyI47Ox/CLkrkMBaX4ZjHsR3L1J9WuPHGqhqWDciwk=

OpenBSD 7.5 errata 023, April 9, 2025:

sshd(8) fix the DisableForwarding directive, which was failing to
disable X11 forwarding and agent forwarding as documented.

Apply by doing:
    signify -Vep /etc/signify/openbsd-75-base.pub -x 023_ssh.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then rebuild and install OpenSSH:
    cd /usr/src/usr.bin/ssh
    make obj
    make
    make install

Index: usr.bin/ssh/session.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/session.c,v
diff -u -p -r1.337 session.c
--- usr.bin/ssh/session.c	1 Feb 2024 02:37:33 -0000	1.337
+++ usr.bin/ssh/session.c	3 Apr 2025 09:52:17 -0000
@@ -1871,7 +1871,8 @@ session_auth_agent_req(struct ssh *ssh, 
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
 	if (!auth_opts->permit_agent_forwarding_flag ||
-	    !options.allow_agent_forwarding) {
+	    !options.allow_agent_forwarding ||
+	    options.disable_forwarding) {
 		debug_f("agent forwarding disabled");
 		return 0;
 	}
@@ -2254,7 +2255,7 @@ session_setup_x11fwd(struct ssh *ssh, Se
 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
 		return 0;
 	}
-	if (!options.x11_forwarding) {
+	if (!options.x11_forwarding || options.disable_forwarding) {
 		debug("X11 forwarding disabled in server configuration file.");
 		return 0;
 	}