I coined this little trick the other day, I thought I might share it. I wanted, for fun, to be notified on gtalk everytime someone logs in my server. You never know, maybe I could discover unexpected connections. It turned out to be possible, and the whole thing costed me reading a couple of manpages and typing 5 lines of code.
Before you do the same thing with you own server, let me claim here that I am absolutely not a security expert. It is more an experiment than anything else, so I suggest being really careful and read all the manpages involved if you want to do the same thing. Also, I'd be happy to be notified of any potential threat in the comments.
Basically, you can have PAM (Pluggable Authentication Modules, the thing
that handles authentication on Linux) execute external commands. The
module in question is called
pam_exec, and it is often used to rebuild
databases e.g. when passwords are changed. It can also be activated when
someone logs in. The manpage explains that the following PAM items are
exported as environment variables to the program executed:
PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER, PAM_TYPE
I decided to use it to my advantage. I created on jabber.org an account
for my server. I added it in my gmail friends, and I wrote this little
script, using sendxmpp (saved as
1 2 3 4 5
#!/bin/sh echo "$PAM_USER@`hostname` logged from $PAM_RHOST" | \ sendxmpp -u server_account -j jabber.org -p xxxx email@example.com >/dev/null 2>&1 & exit 0
Note that the sendxmpp command runs in background and that its exit status is ignored. Otherwise PAM would wait for the command to return before letting me in, and it would deny me the access if the notification failed to be delivered. Two things I clearly want to avoid.
Then, the following line goes at the end of
session optional pam_exec.so /usr/local/bin/login_notify
There you go, notifications each time someone logs in.
Are you doing this for real? Read on...
Ok, just a couple of extra instructions for you:
- Be really really careful before modifying
/etc/pam.d/sshd. If you put a bogus command in there, you might screw up your remote access. Please double check that the command
/usr/local/bin/login_notifyis running with no error. Only when you are sure of that, you can add the line to
- Don't forget to
chmod +x /usr/local/bin/login_notify
- When you run
/usr/local/bin/login_notify, you should receive a jabber message. If you don't, then you have to verify that you can actually send messages to your gmail account. Use a jabber client and try to have a conversation with your gmail account. Then, try to use
sendxmpp, then try again with the
- My instructions are probably incomplete. Use your brain to fill in the blanks.