I recently spun up a RHEL 8 server on my favorite cloud service to use as part of my study lab for RHCSA. I created a login for my brother, who is also studying similar topics. I thought it might be fun to ambush him with some silly messages using the write and wall commands the next time he logged in, but how would I know when he does? I needed to generate a notification when he logged into the server. I had recently discovered pushcut: an amazing app that allows you to generate custom push notifications to your iPhone. Check it out at https://www.pushcut.io/ and download the app. Pushcut is free for basic functionality, including the creation of custom push notifications triggered by a webhook. So to generate the push notification, all I needed to do was trigger the following command whenever someone logged in to the server using SSH:
curl -X POST https://api.pushcut.io/<webhook-string>/notifications/Boss%20Login%20Alert
After a little research, I determined that the best approach would be to write up a shell script and trigger that from the PAM (Pluggable Authentication Module) event.
#!/bin/bash
if [ "$PAM_TYPE" != "close_session" ]; then
curl -X POST https://api.pushcut.io/<webhook-string>/notifications/Boss%20Login%20Alert
fi
The script is saved to /usr/local/bin/login-notify.sh. Then, to set it to be triggered by a PAM login event, just append this line to the end of /etc/pam.d/sshd:
session optional pam_exec.so seteuid /usr/local/bin/login-notify.sh
That’s it! He’ll never see it coming! This solution is not a replacement for a proper IDS in a production environment, but there are many scenarios where you’d like to know when someone logs into a Linux box. MacOS also uses PAM, so it should be possible to adapt this technique for Mac as well. If you have found a creative use for it, please leave a comment below.