Set umask for a sftp account?
Worked great for me. However, needed a bit of research because what you provided is an extract from docs. A specific example in my case would be to put two consecutive lines at the end of /etc/ssh/sshd_config
Match Group www-dataForceCommand internal-sftp -u 2In my case what I wanted to do is to set umask to '002' (2 in decimal) if someone in group 'www-data' logs in.
There is also an option to use env. variable SSH_ORIGINAL_COMMAND instead of 'internal-sftp', but I did not have time to pursue that.
I don't know about AIX, but you should be able to do this with OpenSSH, though it will require root permissions. You'll need to write a wrapper script for the server component of sftp. The wrapper will need to selectively change the umask for the user and then exec the sftp server. For selecting a user, I'm partial to:
id --userIf you were to create such a script as /usr/local/sbin/sftp-wrapper, you would then change the configuration for the sftp subsystem in /etc/ssh/sshd_config from:
Subsystem sftp /usr/libexec/openssh/sftp-serverto:
Subsystem sftp /usr/local/sbin/sftp-wrapperBeyond writing the wrapper script, every step will require root permissions.
Comment: I believe the sftp server is started by root when you connect via sftp. Thus, the default umask derives from root's umask. I don't believe there is a way of altering this for a particular user from within that user's configuration. If you want to change the sftp umask for all users, you can make a simpler modification to the sftp subsystem configuration:
Subsystem sftp /bin/bash -c ‘umask 002; /usr/libexec/openssh/sftp-server’
The user can set this up themselves without the involvement of root, either from the client (per connection) or on the server (per public key).
From the client, we can override the remote command used to handle the sftp interaction using the -s option:
sftp -s 'umask 0777; env PATH=${PATH}:/usr/libexec/openssh:/usr/lib/ssh:/usr/sbin sftp-server' username@hostname(If your sftp-server is not installed in one of the locations mentioned above, add that to the path also).
From the server, we can force a particular command to be run whenever a connection is made using a particular public key. This will get run for all connections, not just those for SFTP, but we can inspect the $SSH_ORIGINAL_COMMAND environment variable to decide what course of action to take. Adding something like the following to authorized_keys is probably sufficient for your needs:
command="umask 0777; if [[ -n $SSH_ORIGINAL_COMMAND ]]; then eval $SSH_ORIGINAL_COMMAND; else exec bash --login; fi" ssh-rsa AAAAB3NzaC1yc2EA...(substituting whichever is your favourite shell to handle any interactive logins, and noting that if you use tcsh you'll have to modify this to suit that shell's syntax).