Run (system) script on SSH login and/or logout

Question

I'd like my OpenSSH server to start a script whenever a user logs in using SSH, ideally passing the host name or IP, as well as the user name. Additionally I'd like it to run a script, whenever a session is terminated (passing the username). These scripts should not run in the user's session, but system wide.

The idea is to give an audio warning on login and logout, e.g. using espeak, and to display the information on an external display.

I've seen that there is a pam-scripts package but I'm not sure if this does what I want, nor how to use it.

Answer 1

You can force a command onto your SSH-users instead of the one they request (or their shell if they don't give a specific command). This can be done by specifying that command with something like ForceCommand /root/ssh-wrapper in /etc/ssh/sshd_config (it doesn't matter where the script is located or how it's named, just make sure it is executable by all users and the sshd configuration file points to it). You also need to restart/reload sshd. The original command is accessible to the forced command as $SSH_ORIGINAL_COMMAND.

I just hacked this script together:

#! /bin/sh

# add logger options when needed
log="logger -t ssh-wrapper"

# find IP address
ip=`echo $SSH_CONNECTION | cut -d " " -f 1`

$log $USER login from $ip
espeak "$USER just logged in from $ip" > /dev/null 2>&1

$log command: ${SSH_ORIGINAL_COMMAND:-shell}
${SSH_ORIGINAL_COMMAND:-shell}

$log $USER logout
espeak "$USER just logged out" > /dev/null 2>&1

Now every time I login or logout a voice tells me about it, and a log entry gets written to syslog. It also logs the command. You can use something like the following to "follow" your sshd usage:

tailf /var/log/syslog | grep ssh-wrapper

Please note that this script is mostly untested, so use at your own risk! ;-)

PS: remember that this script is run as the user that logged in, so you can't do everything you want if you change it to add more features...

Answer 2

I've seen this matching events in log file before (which would allow you flexibility on matching anything). This page is poorly formatted but it might help you get started: https://help.ubuntu.com/community/AudibleLogs#Play with esound

Answer 3

You can use the sshrc (man sshd , search for sshrc)

ssh will execute the /etc/ssh/sshrc if it exists and you can run one script (or call multiple scripts) from there

you can call any bash variable, like $USER or get the IP via

read -d " " ip <<< $SSH_CONNECTION

you can write a script to test or log what ever you want.

Logout script... well, that is what i'm searching for! :D

Answer 4

(Answer cross-posted from the same question on ServerFault)

Just write a script to do whatever you want and then stick it in /etc/profile or possibly/etc/bash.bashrc depending on your needs. Changes to those files will apply to all users. I'm not sure how you'd go about notifying on logout with this approach, though.

Alternatively, another way to do this would be to have a simple daemon monitoring /var/log/auth for new (and closing) ssh sessions. That way it would be able to send notifications on both login and logout.

Answer 5

I think PAM is the best option. It's system-wide and can't be overriden by user's config files.

You can follow these steps. They worked for me on Ubuntu 14.04.4 LTS.

Run:

$ sudo pico /opt/custom/bin/info-session.sh

Edit that empty file and add these lines:

#!/bin/sh

[ "$PAM_TYPE" = "open_session" ] || exit 0

INFO=$(date +"%Y/%m/%d %T $PAM_USER ($PAM_RHOST) $PAM_SERVICE $PAM_TTY") # You can customize message.

echo "PAM access: $INFO" | write user > /dev/null 2>&1 # See Note 1.

exit 0

After that, give execute permission to the script:

$ sudo chmod ugo+x /opt/custom/bin/info-session.sh

Now, run:

$ sudo pico /etc/pam.d/common-session

Add these lines at the end of the file:

# Modified by user:
session optional pam_exec.so /opt/custom/bin/info-session.sh

There's no need to restart any service. Note that this script will also be run when a user logs in from terminal instead of SSH.

Note 1: You can pipe to espeak or any other process which fits your needs (email, push notification, and so on...). If you use write and user is logged in, he or she will see output messages directly on their terminal.

References:
https://blog.stalkr.net/2010/11/login-notifications-pamexec-scripting.html
https://blog.redbranch.net/2014/06/04/pam_exec-so-execute-commands-on-user-login/

Related:
How do I set up an email alert when a ssh login is successful?
https://serverfault.com/questions/400613/how-can-i-configure-my-server-to-notify-me-whenever-it-is-remotely-accessed-via
https://serverfault.com/questions/395393/email-notification-about-each-ssh-connection-to-linux-server