How do I set up an email alert when a ssh login is successful?
Warning: As always when you change the login configuration, leave a backup ssh session open in the background and test the login from a new terminal.
Since the sshrc method doesn't work if the user has their own ~/.ssh/rc file, I'll explain how to do this with pam_exec as @adosaiguas suggested. The good thing is that this can also be easily adapted to login types other than ssh (such as local logins or even all logins) by hooking into a different file in /etc/pam.d/.
First you need to be able to send mail from the command line. There are other questions about this. On a mail server it's probably easiest to install mailx (which is probably already installed anyway).
Then you need an executable script file login-notify.sh (I put it in /etc/ssh/ for example) with the following content. You can change the variables to change the subject and content of the e-mail notification. Don't forget to execute chmod +x login-notify.sh to make it executable.
#!/bin/sh
# Change these two lines:
sender="[email protected]"
recepient="[email protected]"
if [ "$PAM_TYPE" != "close_session" ]; then
host="`hostname`"
subject="SSH Login: $PAM_USER from $PAM_RHOST on $host"
# Message to send, e.g. the current environment variables.
message="`env`"
echo "$message" | mailx -r "$sender" -s "$subject" "$recepient"
fi
Once you have that, you can add the following line to /etc/pam.d/sshd:
session optional pam_exec.so seteuid /path/to/login-notify.sh
For testing purposes, the module is included as optional, so that you can still log in if the execution fails. After you made sure that it works, you can change optional to required. Then login won't be possible unless the execution of your hook script is successful (if that is what you want).
For those of you in need of an explanation of what PAM is and how it works, here is a very good one.
Warning: according to the comments, this does not work if the user creates a file called
~/.ssh/rc.*
Modify or create /etc/ssh/sshrc with the following contents:
ip=`echo $SSH_CONNECTION | cut -d " " -f 1`
logger -t ssh-wrapper $USER login from $ip
echo "User $USER just logged in from $ip" | sendemail -q -u "SSH Login" -f "Originator <[email protected]>" -t "Your Name <[email protected]>" -s smtp.server.com &
This will effectively notify you by email anytime someone logs in through SSH, and the login will be logged in the syslog.
Note: You'll need the sendemailpackage (sudo apt-get install sendemail) for the email notification to work.
Note: works with port forwarding, but with -N option not.
Put the following in /etc/profile:
if [ -n "$SSH_CLIENT" ]; then
TEXT="$(date): ssh login to ${USER}@$(hostname -f)"
TEXT="$TEXT from $(echo $SSH_CLIENT|awk '{print $1}')"
echo $TEXT|mail -s "ssh login" [email protected]
fi
How the script works
/etc/profile is executed at every login (for bash shell users). The if statement will only return true if the user has logged in via ssh, which in turn will cause the indented code block to be run.
Next, we then build the text of the message:
$(date)will be replaced by the output of thedatecommand${USER}will be replaced by the user’s login name$(hostname -f)will be replaced by the full hostname of the system being logged into
The second TEXT line adds to the first, giving the IP address of the system this user is logging in from. Finally, the generated text is sent in an email to your address.
Summary Linux will, by default, record every system login, whether by ssh or not, in the system log files, but sometimes – particularly for a system that is seldom accessed via ssh – a quick and dirty notification can be useful.