Set umask for a sftp account?

Could anyone tell me how to set the umaskfor a single sftp user? Worth mentioning is a IBM AIX...

Adding umask 002 to that user's .profile didn't work... (the goal is that this user files are accesible to people from the same group).

I've seen somehowto's around editing the sftpd configs, though I want to set it for one user only, so I expected to find something that didn't need root acc开发者_如何学Pythoness.

thanks!

f.

Worked great for me. However, needed a bit of research because what you provided is an extract from docs. A specific example in my case would be to put two consecutive lines at the end of /etc/ssh/sshd_config

Match Group www-data
ForceCommand internal-sftp -u 2

In my case what I wanted to do is to set umask to '002' (2 in decimal) if someone in group 'www-data' logs in.

There is also an option to use env. variable SSH_ORIGINAL_COMMAND instead of 'internal-sftp', but I did not have time to pursue that.

The user can set this up themselves without the involvement of root, either from the client (per connection) or on the server (per public key).

From the client, we can override the remote command used to handle the sftp interaction using the -s option:

sftp -s 'umask 0777; env PATH=${PATH}:/usr/libexec/openssh:/usr/lib/ssh:/usr/sbin sftp-server' username@hostname

(If your sftp-server is not installed in one of the locations mentioned above, add that to the path also).

From the server, we can force a particular command to be run whenever a connection is made using a particular public key. This will get run for all connections, not just those for SFTP, but we can inspect the $SSH_ORIGINAL_COMMAND environment variable to decide what course of action to take. Adding something like the following to authorized_keys is probably sufficient for your needs:

command="umask 0777; if [[ -n $SSH_ORIGINAL_COMMAND ]]; then eval $SSH_ORIGINAL_COMMAND; else exec bash --login; fi" ssh-rsa AAAAB3NzaC1yc2EA...

(substituting whichever is your favourite shell to handle any interactive logins, and noting that if you use tcsh you'll have to modify this to suit that shell's syntax).

I don't know about AIX, but you should be able to do this with OpenSSH, though it will require root permissions. You'll need to write a wrapper script for the server component of sftp. The wrapper will need to selectively change the umask for the user and then exec the sftp server. For selecting a user, I'm partial to:

id --user

If you were to create such a script as /usr/local/sbin/sftp-wrapper, you would then change the configuration for the sftp subsystem in /etc/ssh/sshd_config from:

Subsystem   sftp    /usr/libexec/openssh/sftp-server

to:

Subsystem   sftp    /usr/local/sbin/sftp-wrapper

Beyond writing the wrapper script, every step will require root permissions.

Comment: I believe the sftp server is started by root when you connect via sftp. Thus, the default umask derives from root's umask. I don't believe there is a way of altering this for a particular user from within that user's configuration. If you want to change the sftp umask for all users, you can make a simpler modification to the sftp subsystem configuration:

Subsystem   sftp    /bin/bash -c ‘umask 002; /usr/libexec/openssh/sftp-server’

A umask of 111 in Octal will yield 73 in decimal, which we will use in this example.

#vi /etc/ssh/sshd_config

Add the following two lines at the end of the file to configure the sftp umask for a group of users.

Match Group  <group name>
ForceCommand  internal-sftp  -u 73

Or, add the following two lines at the end of the file to configure the sftp umask for a single user.

Match User   <user name>
ForceCommand  internal-sftp -u 73

Restart the sshd daemon.

#stopsrc -s sshd

#startsrc -s sshd

this will help : Aamod chandra

I don't know why below lines do not work for me:

*Match Group

ForceCommand  internal-sftp  -u 73

At last add '-u 0002' for Subsystem works fine on SUSE 11.3:

*Subsystem sftp /usr/lib64/ssh/sftp-server **-u 0002***

and now specifiled user can only login with public key:

Match User nappcpr, Group iwcopy

    PasswordAuthentication no

    PubkeyAuthentication yes

    **KbdInteractiveAuthentication no**