How to setup ssh's umask for all type of connections

I can suggest trying 2 things:

1. pam_umask
2. LD_PRELOAD wrapper (self-written?)

Here is a solution that will let you do what you want on a per-user basis. It uses only native sshd features and does not require mucking about with locally maintained patches. This solution takes advantage of the ForceCommand behavior of sshd to insert an environment-setup script into every ssh connection, and then run the original command.

First, create a script somewhere on your system with the following contents:

#!/bin/sh

umask 0027
exec /bin/sh -c "${SSH_ORIGINAL_COMMAND:-$SHELL}"

For the purposes of this example I'll assume you've called this /usr/bin/umask-wrapper.

Now, you have a few options in setting this up. If you want this to be a mandatory configuration for all users (which seems a little unlikely), you can modify your sshd configuration to include the following:

ForceCommand /usr/bin/umask-wrapper

If you only want this to apply to some users, you can use a Match block (this goes at the end of your sshd_config):

Match User user1,user2
ForceCommand /usr/bin/umask-wrapper

If you want this to be user-controllable behavior, then you can use the command= option in an authorized_key file to select this behavior for specific keys. For example, while testing this out I added an entry to my authorized_keys file that looks something like this:

command="/home/lars/bin/umask-wrapper" ssh-rsa AAAAB3NzaC1 ... umask-test

And here are some results of my test:

Using ssh with no command:

localhost$ ssh remotehost
remotehost$ touch umask-test/file1
remotehost$ ls -l umask-test/file1
-rw-r-----. 1 lars lars 0 Feb  2 06:02 file1

Using ssh with a command:

localhost$ ssh remotehost touch umask-test/file2
localhost$ ssh remotehost ls -l umask-test/file2
-rw-r-----. 1 lars lars 0 Feb  2 06:03 file2

Using scp:

localhost$ touch file3
localhost$ ls -l file3
-rw-r--r--  1 lars  staff  0 Feb  2 06:03 file3
localhost$ scp file3 remotehost:umask-test/file3
localhost$ ssh remotehost ls -l umask-test/file3
-rw-r-----. 1 lars lars 0 Feb  2 06:03 file3

Using sftp:

localhost$ sftp remotehost
sftp> put file3 umask-test/file4
sftp> ls -l umask-test/file4
-rw-r-----    0 500      500             0 Feb  2 06:05 umask-test/file4

And there you have it. I believe this is the behavior you were looking for. If you have any questions about this solution I would be happy to provide additional details.

I took a slightly different approach to centralize the setting.

This was added to /etc/pam.d/common-session:

session    optional     pam_umask.so

This was modified in /etc/login.defs:

UMASK           0027

I've gotten pam_umask to work with ssh, but not with scp or sftp.

The wrapper method also does nothing for sftp or scp. I'm not sure 027 is a good example since most distros have umask set to that already. Try with 002 and see if that works.

Programs that don't set their own umask inherit the umask of the application that started it. Stop sshd completely, set your umask to 0027, then start it again. (You can add the umask command in the init script for future reboots.)

Tested to work with scp.

If pam_umask doesn't seem to affect your SFTP sessions, then check if UsePam is set to Yes in the /etc/ssh/sshd_config file.

If you have disabled password authentication and UsePam was set or defaulted to No. You may want to set ChallengeResponseAuthentication No in the sshd_config file because otherwise you may inadvertently enable a password authentication through that system.

An added note to user188737's answer above:

This may go without saying, but if you are not using the openssh-server package, and have manually compiled OpenSSH, make sure you "Enable PAM support" by passing the --with-pam configuration flag.

Otherwise, UsePAM=yes in sshd_config, plus any changes to /etc/pam.d/* will effectively be ignored by sshd.

It finally dawned on me why none of the recommended PAM solutions were having any affect testing via non-interactive SFTP connections...

Since umask is inherited from the parent process, on a Slackware system that uses /etc/rc.d/rc.sshd to start/stop/restart sshd, you could simply place umask 0027 on a line by itself directly above "sshd_start" or "sshd_restart", or alternatively, at any point before the main execution section begins, in /etc/rc.d/rc.sshd:

case "$1" in
'start')
  umask 0027
  sshd_start
  ;;
'stop')
  sshd_stop
  ;;
'restart')
  umask 0027
  sshd_restart
  ;;
*)

Or, alternatively, at the top of the file:

#!/bin/sh
# Start/stop/restart the secure shell server:
umask 0027

I have just tested a possible improvement to larsks sshd_config options on solaris 11

Setup a group with the users to be managed and move the script into the config file itself, in my case I wanted to set the umask to 0002.

the resulting configuration becomes....

Match Group managedgroup
ForceCommand /bin/sh -c 'umask 0002; ${SSH_ORIGINAL_COMMAND:-$SHELL}'

I have been struggling with this issue, specifically with file permissions after copying a file using scp, and it finally occurred to me to simply use ssh to change the permissions after the copy.

Here is the solution:

1. Copy your file: localhost$ scp filename remotehost:umask-test/filename
2. Fix permission: localhost$ ssh remotehost "chmod go+r umask-test/filename"

Best of all, no root access is necessary to effect this solution.