/bin/login from shadow currently has following the man page:

CONFIGURATION
       The following configuration variables in /etc/login.defs change the behavior of this
       tool:
       
       [...]
       
       UMASK (number)
           The file mode creation mask is initialized to this value. If not specified, the
           mask will be initialized to 022.

           useradd and newusers use this mask to set the mode of the home directory they
           create

           It is also used by login to define users' initial umask. Note that this mask can
           be overriden by the user's GECOS line (if QUOTAS_ENAB is set) or by the
           specification of a limit with the K identifier in limits(5).



So I went and edited /etc/login.defs accordingly to set the umask to a different value.

However, that new umask was not picked up. A simple "ssh box umask" showed the default 022 umask. Note that no shell is invoked so /etc/profile, which may define a umask, is not read.

After patching /etc/pam.d/system-login to include the line

session         optional        pam_umask.so

at the top of the session block, it worked as expected.


I expected it to work out of the box based on the documentation mentioned above.