System-wide SSH login notifications with Pushbullet21 Dec 2014
I recently found about Pushbullet, a service and set of applications which allows you to share notifications and other text messages between your devices. They also provide a convenient API, making it easy to send notifications from scripts or other programs.
In a quest to secure my personal server, I wanted to get a notification for each
SSH login. I found some solutions online, but they weren’t
waterproof (relying on per-user
.profile modifications) or were a bit too
hackish for my taste (actively
It’s essential that any user logging in cannot externally prevent the notification from being sent. The best solution I found is to modify the SSH server configuration, and force execution of a wrapper script which will generate the notification. The ForceCommand option does exactly that:
Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present.
Within the wrapper script, we can use the (relatively undocumented)
SSH_CONNECTION environment variable to get a hold of some details about the
current connection. We will use that to make our notification a bit more
interesting. Finally, we hand control back to the user, spawning the command
asked for (saved in
SSH_ORIGINAL_COMMAND), or the user’s default shell:
I saved this script in
/usr/local/sbin/ssh-wrapper, made it executable, and
activated it by adding
ForceCommand /usr/local/sbin/ssh-wrapper to
Note that my wrapper script makes use of
pushmessage, a small script which
delivers the actual notification:
IDEN variables are personalised, and contain respectively
your Pushbullet access token and the device identification. The former you can
find on your Pushbullet account page, and
in order to get a suitable device identifier you’ll need to inquire the API:
- Slowdown: on a normal day, a
pushmessageinvocation takes about 500 ms. This is a significant slowdown of the — already pretty slow — SSH login. Backgrounding the API call solves this, but can get you spammed.
- Too many invocations: the wrapper script is called on each login, even if the
SSH connection was already established (ie. when multiplexing connections
ControlMaster). This is especially noticeable when using tab completion for the
<TAB>will trigger a notification.
- Cluttered process tree: the
ssh-wrapperscript keeps on existing in the process hierarchy because it spawns the user shell. It should be possible to avoid this (eg. by
execveing the shell instead).