Always make sure permissions of .ssh/authorized_keys
are checked. This prevents word-writeable keyfiles from
being processed, reducing attack surface after misconfiguration.

Partially addresses #11538 and depends on patch 1/3.

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
 config/rootfiles/core/121/update.sh | 3 ++-
 lfs/openssh                         | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh
index 5b8f2c86e..3ec251292 100644
--- a/config/rootfiles/core/121/update.sh
+++ b/config/rootfiles/core/121/update.sh
@@ -59,7 +59,8 @@ rm -rvf \
 # Update SSH configuration
 sed -i /etc/ssh/sshd_config \
 	-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
-	-e 's/^#LogLevel INFO$/LogLevel INFO/'
+	-e 's/^#LogLevel INFO$/LogLevel INFO/' \
+	-e 's/^#StrictModes .*$/StrictModes yes/'
 
 # Start services
 /etc/init.d/sshd restart
diff --git a/lfs/openssh b/lfs/openssh
index 46561953d..7e8468ac9 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -95,6 +95,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		-e 's/^#LogLevel INFO$/LogLevel INFO/' \
 		-e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
 		-e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
+		-e 's/^#StrictModes .*$/StrictModes yes/' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
 		-e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
-- 
2.13.6