Send Email Notification after a SSH Login
Setting up e-mail notifications and alerts when a user signs in through SSH requires a shell script and a small modification to PAM. Keep in mind that if you’re setting up this alert for security, then you probably want to look at locking down your system first and securing all of your services instead of just receiving alerts. This notification can be useful as an extra alert for logins, but don’t rely on it as a security feature because you won’t always be monitoring your e-mail, and once an attacker signs into your server, it’s too late.
This tutorial was tested on a Debian Stretch server using EXIM as the MTA and using the mail
command from GNU Mailutils. Depending on your current Linux distribution and the services you have installed, the tutorial may vary slightly and require additional modifications.
Creating the Shell Script
The first part of this tutorial is to create a shell script that will send an e-mail. Since we are integrating the script with PAM, there are a few environment variables provided by pam_exec we have access to which will be useful to include in the e-mail. This script assumes you have EXIM configured to send outgoing e-mails. Slight modifications may be required if you are using Sendmail, Postfix, or any other MTA.
#!/bin/sh
EMAIL_TO="sysadmin@example.com"
EMAIL_FROM="ssh-alert@server1.example.com"
SUBJECT="SSH Login Notification"
MESSAGE="
A user signed into your server through SSH.
-------------------------------------------
Username: ${PAM_USER}
IP Address: ${PAM_RHOST}"
if [ ${PAM_TYPE} = "open_session" ]; then
echo "${MESSAGE}" | mail -n -r "${EMAIL_FROM}" -s "${SUBJECT}" "${EMAIL_TO}"
fi
exit 0
Once your script is created, be sure to set the permissions of the script to be executable and only allow the root user to edit the file. Creating the directory /etc/pam_scripts
is a nice location to store all custom scripts you add to PAM, some users opt to store the scripts directly in the /etc/pam.d
folder. To test your script from the command line, you will want to comment out the if
statement around the mail command by prefixing the lines with the pound symbol. Test your script and make sure you receive the e-mail notification. The test e-mail will be void of values for the username and IP address because those environment variables are not set and will only be available when PAM runs the script.
Configuring PAM
Now it’s time to configure PAM to run the script you created. By default, OpenSSH creates the file /etc/pam.d/sshd
, and you will need to edit the file to include the location of the script above. Open /etc/pam.d/sshd
with your favorite editor as root (nano, vim, etc) and add the following lines to the configuration file.
# Login Email Notification
session required pam_exec.so /etc/pam_scripts/login-email-notification.sh
There is no need for a system or service restart for the script to start running after authentication. There is a lot of additional information you should read about Running Scripts after Authentication along with additional troubleshooting techniques, script and file permissions, and why using PAM is better than other techniques.
Troubleshooting
If you are running into problems with receiving an e-mail notification after a user signs in through SSH, some of the below solutions may help you out. First, you want to make sure your script is set as executable. Run the command chmod +x <script>
to set the shell script to be executable.
The problem could also exist if you don’t have a MTA or your MTA doesn’t provide the sendmail
command that mail
from GNU Mailutils uses to send messages. First look into the log file for your MTA and check for any issues. If nothing stands out, consider changing the shell script from using the mail
command to sendmail
.
If your script runs fine by itself but fails to run when signing in through SSH, you will want to look at the post “Running Scripts after SSH Authentication” and follow those troubleshooting techniques. It could also be useful to read through the article even if you don’t have any issues to confirm all modifications you made to PAM and your sshd_config file are correct.