/bin/login from shadow currently has following the man page:
The following configuration variables in /etc/login.defs change the behavior of this
The file mode creation mask is initialized to this value. If not specified, the
mask will be initialized to 022.
useradd and newusers use this mask to set the mode of the home directory they
It is also used by login to define users' initial umask. Note that this mask can
be overriden by the user's GECOS line (if QUOTAS_ENAB is set) or by the
specification of a limit with the K identifier in limits(5).
So I went and edited /etc/login.defs accordingly to set the umask to a different value.
However, that new umask was not picked up. A simple "ssh box umask" showed the default 022 umask. Note that no shell is invoked so /etc/profile, which may define a umask, is not read.
After patching /etc/pam.d/system-login to include the line
session optional pam_umask.so
at the top of the session block, it worked as expected.
I expected it to work out of the box based on the documentation mentioned above.