- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Where to configure sftp umask?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2010 12:47 PM
тАО01-05-2010 12:47 PM
Where to configure sftp umask?
We have 2 HP-UX B.11.11 servers, that we thought were configured identically WRT ssh and sftp, but one of them creates files that are PUT to it through sftp with perms of 644 (the preferred perms) and one creates files that are PUT to it through sftp with perms of 600 (not the preferred way). The "bad" file perms started happening a couple of weeks ago and we're not sure if one team of sys admins made any changes (we've asked the other team, but haven't gotten an answer back yet), but we can't find any evidence of anything relevant changing.
Both systems are running Secure Shell A.04.40.006, so I don't think the SftpUmask config option is available in that version, and it's not found in /opt/ssh/etc/sshd_config on either system, so nothing changed in that respect.
# ssh -v
OpenSSH_4.4p1-hpn12v11, OpenSSL 0.9.7l 28 Sep 2006
HP-UX Secure Shell-A.04.40.006, HP-UX Secure Shell version
Here is the sftp line from /opt/ssh/etc/sshd_config on both systems:
Subsystem sftp /opt/ssh/libexec/sftp-server
Both systems have an identical /opt/ssh/etc/sshd_config with the exception of Permit EmptyPasswords, LogLevel, and PermitRootLogin (which shouldn't affect sftp's umask).
I know sftp doesn't source .profile or /etc/profile, and the umask isn't set like it is for ftp in /etc/inetd.conf, so what could've changed and where? Have we overlooked something simple or is there something somewhere that we just don't know about?
The files that brought this to our attention are PUT from a Windows system, and are part of some automated process (which hasn't changed, and from what I've seen, they can't even set perms in the tool they use, which is Sun JavaCaps)
Please let me know if you need any more info, thanks very much!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2010 12:51 PM
тАО01-05-2010 12:51 PM
Re: Where to configure sftp umask?
Check the following files:
ssh_config
sshd_config
#for default umask.
In the absence of that:
/etc/profile
.profile
# Any files sourced there. If not set in the ssh configuration, the permissions may respect the user profile, though for sftp I doubt it.
See this link:
http://jeff.robbins.ws/articles/setting-the-umask-for-sftp-transactions
http://www.derkeiler.com/Newsgroups/comp.security.ssh/2005-09/0078.html
http://lists.mindrot.org/pipermail/openssh-unix-dev/2009-January/027118.html
These may apply to Linux, but if they use openssh configuration files, they will will on any NX platform.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2010 01:45 PM
тАО01-05-2010 01:45 PM
Re: Where to configure sftp umask?
# grep -i umask /opt/ssh/etc/ssh_config
# grep -i umask /opt/ssh/etc/sshd_config
#
No files sourced in ~myuserid/.profile, but I did put umask 022 in ~myuserid/.profile just to check and that didn't affect the perms on the created file, it was still 600, since .profile-type files don't get sourced during sftp logins (from what little I know about sftp).
Read the links, thanks, that is a long-shot option that I really don't want to implement unless absolutely necessary.
What's confusing us is that something affecting the umask for sftp changed, but if there's nowhere that certain something can be changed on the HP-UX server, how'd it get changed? I'm tempted to go back (for about the 5th time since they keep denying it :-) ) to the app group that PUTs the file to make absolutely sure *nothing* changed on their end.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2010 01:52 PM
тАО01-05-2010 01:52 PM
Re: Where to configure sftp umask?
#grep mask sshd_config
SftpUmask 002
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-05-2010 07:56 PM
тАО01-05-2010 07:56 PM
Re: Where to configure sftp umask?
(on a side note, of course it was blamed on us for reporting it instead of the guy that rolled out an incompatible ssh version where the setting didn't work anymore :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-06-2010 07:47 AM
тАО01-06-2010 07:47 AM
Re: Where to configure sftp umask?
$ssh -v
OpenSSH_4.4p1-hpn12v11, OpenSSL 0.9.7l 28 Sep 2006
HP-UX Secure Shell-A.04.40.006, HP-UX Secure Shell version
And according to the release notes (http://docs.hp.com/en/5991-7494/5991-7494.pdf), SftpUMask is not supported in that release:
Unsupported Features
Starting with this version of HP-UX Secure Shell, the following
configuration directives are not supported:
├в ┬в LogSftp no
├в ┬в SftpLogFacility AUTH
├в ┬в SftpLogLevel INFO
├в ┬в SftpUMask
├в ┬в SftpPermitChmod yes
├в ┬в SftpPermitChown yes
Thanks though. :-(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-24-2010 04:50 PM
тАО01-24-2010 04:50 PM
Re: Where to configure sftp umask?
I am running
root@mxpapp01# swlist |grep Secure
OpenSSL A.00.09.07m.056 Secure Network Communications Protocol
T1471AA A.05.20.014 HP-UX Secure Shell
and from ssh -v
root@mxpapp01# ssh -v
OpenSSH_5.2p1+sftpfilecontrol-v1.3-hpn13v5, OpenSSL 0.9.8k 25 Mar 2009
HP-UX Secure Shell-A.05.20.014, HP-UX Secure Shell version
2) Check UMASK in /etc/default/security
# Default umask value upon login. Note: This
# parameter controls umask(2) of all sessions
# initiated via pam_unix(5) and/or pam_hpsec(5).
# UMASK=022
UMASK=077 <---- my setting
NOTICE this is pam security for all sessions as is stated.
Also notice I have restricted my UMASK to 077.
I also edit my /etc/opt/ssh/sshd_config a.k.a /opt/ssh/etc/sshd_config
and
# sftp-server umask control
#SftpUmask
SftpUmask 022
I allow umask 022 for sftp only here if you were to scp the same file it will be created using the 077 umask from /etc/default/security
user profile umask setting will not be honored by scp or sftp.
man pam.conf
man pam.unix
man pam.hpsec
man sshd_config