How to setup ssh's umask for all type of connections

Solution 1:

I can suggest trying 2 things:

  1. pam_umask
  2. LD_PRELOAD wrapper (self-written?)

Solution 2:

Here is a solution that will let you do what you want on a per-user basis. It uses only native sshd features and does not require mucking about with locally maintained patches. This solution takes advantage of the ForceCommand behavior of sshd to insert an environment-setup script into every ssh connection, and then run the original command.

First, create a script somewhere on your system with the following contents:


umask 0027
exec /bin/sh -c "${SSH_ORIGINAL_COMMAND:-$SHELL}"

For the purposes of this example I'll assume you've called this /usr/bin/umask-wrapper.

Now, you have a few options in setting this up. If you want this to be a mandatory configuration for all users (which seems a little unlikely), you can modify your sshd configuration to include the following:

ForceCommand /usr/bin/umask-wrapper

If you only want this to apply to some users, you can use a Match block (this goes at the end of your sshd_config):

Match User user1,user2
ForceCommand /usr/bin/umask-wrapper

If you want this to be user-controllable behavior, then you can use the command= option in an authorized_key file to select this behavior for specific keys. For example, while testing this out I added an entry to my authorized_keys file that looks something like this:

command="/home/lars/bin/umask-wrapper" ssh-rsa AAAAB3NzaC1 ... umask-test

And here are some results of my test:

Using ssh with no command:

localhost$ ssh remotehost
remotehost$ touch umask-test/file1
remotehost$ ls -l umask-test/file1
-rw-r-----. 1 lars lars 0 Feb  2 06:02 file1

Using ssh with a command:

localhost$ ssh remotehost touch umask-test/file2
localhost$ ssh remotehost ls -l umask-test/file2
-rw-r-----. 1 lars lars 0 Feb  2 06:03 file2

Using scp:

localhost$ touch file3
localhost$ ls -l file3
-rw-r--r--  1 lars  staff  0 Feb  2 06:03 file3
localhost$ scp file3 remotehost:umask-test/file3
localhost$ ssh remotehost ls -l umask-test/file3
-rw-r-----. 1 lars lars 0 Feb  2 06:03 file3

Using sftp:

localhost$ sftp remotehost
sftp> put file3 umask-test/file4
sftp> ls -l umask-test/file4
-rw-r-----    0 500      500             0 Feb  2 06:05 umask-test/file4

And there you have it. I believe this is the behavior you were looking for. If you have any questions about this solution I would be happy to provide additional details.

Solution 3:

I took a slightly different approach to centralize the setting.

This was added to /etc/pam.d/common-session:

session    optional

This was modified in /etc/login.defs:

UMASK           0027

Solution 4:

I've gotten pam_umask to work with ssh, but not with scp or sftp.

The wrapper method also does nothing for sftp or scp. I'm not sure 027 is a good example since most distros have umask set to that already. Try with 002 and see if that works.