/bin/login from shadow currently has following the man page: CONFIGURATION The following configuration variables in /etc/login.defs change the behavior of this tool: [...] UMASK (number) The file mode creation mask is initialized to this value. If not specified, the mask will be initialized to 022. useradd and newusers use this mask to set the mode of the home directory they create It is also used by login to define users' initial umask. Note that this mask can be overriden by the user's GECOS line (if QUOTAS_ENAB is set) or by the specification of a limit with the K identifier in limits(5). So I went and edited /etc/login.defs accordingly to set the umask to a different value. However, that new umask was not picked up. A simple "ssh box umask" showed the default 022 umask. Note that no shell is invoked so /etc/profile, which may define a umask, is not read. After patching /etc/pam.d/system-login to include the line session optional pam_umask.so at the top of the session block, it worked as expected. I expected it to work out of the box based on the documentation mentioned above.