Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
using pam_exec to send pushover.net notifications of all logins (ssh, scp)
Credit to @feldpos for providing the original version of this file, designed for inclusion into a .bashrc etc file
$ ls -l /etc/pam.d/pushovernet.sh
-rwxr-xr-x 1 root wheel 485 Mar 22 14:48 /etc/pam.d/pushovernet.sh
$ cat /etc/pam.d/pushovernet.sh
#!/bin/sh
(if [ "${PAM_SM_FUNC}" == "pam_sm_open_session" ]; then
P_KEY="YOUR USER KEY HERE"
P_TOKEN="YOUR APP TOKEN HERE"
P_MSG="${PAM_USER} logged in to $(hostname) from ${PAM_RHOST} via ${PAM_SERVICE}"
P_DATE=`date +%s`
P_TITLE="Logins"
nohup /usr/local/bin/curl -q -s \
--form-string "token=$P_TOKEN" \
--form-string "user=$P_KEY" \
--form-string "message=$P_MSG" \
--form-string "timestamp=$P_DATE" \
--form-string "title=$P_TITLE" \
https://api.pushover.net/1/messages.json > /dev/null 2>&1 &
fi)
add this line to the bottom of /etc/pam.d/sshd
session optional pam_exec.so /etc/pam.d/pushovernet.sh
Login: dan logged in to empty.int.unixathome.org from 10.1.1.1 via sshd
@dlangille

This comment has been minimized.

Show comment
Hide comment
@dlangille

dlangille Mar 22, 2018

This solution uses global values for the P_KEY and P_TOKEN. It will be invoked for all users.

scp, ssh, stfp: all result in the same value for PAM_SERVICE: sshd

The script could check for ~/.pushover

If it exists, then the notification is invoked. Each user could then optionally turn this service on.

~/.pushover could also contain the P_KEY and P_TOKEN values...

Owner

dlangille commented Mar 22, 2018

This solution uses global values for the P_KEY and P_TOKEN. It will be invoked for all users.

scp, ssh, stfp: all result in the same value for PAM_SERVICE: sshd

The script could check for ~/.pushover

If it exists, then the notification is invoked. Each user could then optionally turn this service on.

~/.pushover could also contain the P_KEY and P_TOKEN values...

@dlangille

This comment has been minimized.

Show comment
Hide comment
@dlangille

dlangille Mar 22, 2018

By testing for different values of PAM_SM_FUNC you could also log session termination (i.e. logout)

Owner

dlangille commented Mar 22, 2018

By testing for different values of PAM_SM_FUNC you could also log session termination (i.e. logout)

@dlangille

This comment has been minimized.

Show comment
Hide comment
@dlangille

dlangille Mar 22, 2018

We should test for curl before invoking same.

Will not work with fetch(1)

  • pushover.net needs a POST
  • fetch(1) doesn't do the nice stuff which --form-string does on curl
Owner

dlangille commented Mar 22, 2018

We should test for curl before invoking same.

Will not work with fetch(1)

  • pushover.net needs a POST
  • fetch(1) doesn't do the nice stuff which --form-string does on curl
@dlangille

This comment has been minimized.

Show comment
Hide comment
@dlangille

dlangille Mar 23, 2018

The curl command backgrounds, and allows you to login.

NOTE: the parameters are clearly visible via ps auwwx

Owner

dlangille commented Mar 23, 2018

The curl command backgrounds, and allows you to login.

NOTE: the parameters are clearly visible via ps auwwx

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Mar 24, 2018

you could dump the parameters into a tmpfile which you immediately delete or possibly pass them via stdin to prevent that. seems more effort than it's worth, though. an attacker can not do much but annoy you with messages.

ghost commented Mar 24, 2018

you could dump the parameters into a tmpfile which you immediately delete or possibly pass them via stdin to prevent that. seems more effort than it's worth, though. an attacker can not do much but annoy you with messages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment