Monday, February 4, 2013

Change umask for SFTP and SCP connections on RHEL and CentOS running OpenSSH

This should work on any system running OpenSSH, but this was specifically tested on RHEL 6 and CentOS 6.

Problem: When users are placing files on a server with SFTP, the umask set in /etc/profile and sticky bits set on directories are ignored.

Solution:  Modify /etc/ssh/sshd_config.  Find the line near the bottom that looks like:
Subsystem      sftp    /usr/libexec/openssh/sftp-server
Change to the following, adjusting the umask as needed.  This example sets permission to 664 for files and 775 for directories:
Subsystem      sftp  /bin/sh -c 'umask 002; /usr/libexec/openssh/sftp-server'

To fix it for SCP, you also need to add the following line to /etc/pam.d/login and /etc/pam.d/sshd
session    optional     pam_umask.so umask=0022





Posted by at 8:37 AM

1 comment:

Umakanta said...

Excellent.

I only modify in /etc/pam.d/sshd and it work perfeclty.

My environment is chroot sftp and winbind AD authenticaiton.

Many thanks for this doc.

--Umakanta

May 18, 2013 at 6:51 AM

Post a Comment

Subscribe to: Post Comments (Atom)