Encrypted mail notification for SSH login

in Linuxconfig
#Linux #SSH #PGP

In many cases, it's nice to know if a valid SSH login was performed on your server. To get an information if someone accessed your server via SSH, it's possible to configure a notification per mail. To keep the information about the login process private, you can use PGP to encrypt the content of the notification. Therefore, this tutorial should show how to setup an encrypted notification for valid SSH logins. The setup was tested with the operating system Debian 8 (Jessie).

First of all it's required to transfer your public PGP key to your server, to be able to send encrypted mails to your personal mail address. The next step is to import the public key into your local PGP tool, in this case gpg2 as the user root. This is required, because the user root will send the corresponding notification of the ssh service and so this user needs the public key of the destination mail address.

gpg2 --import <path to public key>

Now define the "trust" of the added PGP key, otherwise the encryption afterwards will fail.

gpg2 --edit-key <user ID like some.thing@gmx.at>

gpg> trust
[...]

Please decide how far you trust this user to correctly
verify other users' keys(by looking at passports, 
checking fingerprints from different sources, etc.)

1 = I don't know or won't say 
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? 
(y/N) y
[...]

gpg> quit

To send mails, a smtp client is required. For this tutorial the program ssmtp is in use. To configure this client edit the corresponding configuration file, which is located at /etc/ssmtp/ssmtp.conf. The following lines show an example how to configure the client with a GMX account. Replace the <mail>, <pass> and <recipient> with your own mail address, password and the recipient.

root=<recipient>
# The place where the mail goes. 
# The actual machine name is required no
# MX records are consulted. 
# Commonly mailhosts are named mail.domain.com
mailhub=mail.gmx.net:465

# Debug=Yes

FromLineOverride=NO

AuthUser=<mail>
AuthPass=<pass>
useTLS=YES

It's also required to create alias entries for the user root. Otherwise the sender would be set to the username root and this isn't allowed by the GMX mail server.

To perform this, add the following line to the configuration file /etc/ssmtp/revaliases. Replace the part <mail> with the username of your sender mail account:

# Example: 
# root:your_login@domain:mailhub.your.domain[:port]
# where [:port] is an optional port number
# that defaults to 25.

root:<mail>:mail.gmx.net:465

The last step is to configure a PAM (Pluggable Authentication Modules) script for the SSH service. Therefore, create a new file in the directory called /etc/ssh/login-notify.sh and insert the following content:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
#!/bin/bash
# Check if a new SSH session was established
if [ "$PAM_TYPE" != "open_session" ]
then
    exit 0 
else
    {
        # Logged in user
        echo "User: $PAM_USER"
        # Remote IP address 
        echo "Rhost: $PAM_RHOST"
        #Current date
        echo "Date: `date`" 
        # Something about the server
        echo "Server: <Server Name>" 
        # Currently logged in users on the server
        echo "Who is logged in: `w`" 
    } | gpg2 -ear <some.thing@gmx.at> | mail -s "SSH-Login: $PAM_SERVICE" root
fi
exit 0

It's also possible to add custom environment variables to the previous script to provide additional information. The parameters for the gpg2 command have the following meaning:

  • -e ... encrypt
  • -a ... create ASCII armored output
  • -r ... encrypt for the specified user ID (recipient)

To execute the created script at each successful login, it's required to add the following line to the configuration file at /etc/pam.d/sshd.

# Send mail if someone logins in via SSH
session optional pam_exec.so seteuid /etc/ssh/login-notify.sh

The parameter optional can also be set to required. But if the execution of the script fails, it's not possible to login via SSH anymore.

Another import step is to set the executable flag of the previous created script. Hence, run the following command to set the required permissions:

sudo chmod 740 /etc/ssh/login-notify.sh

Links

http://www.havetheknowhow.com/Configure-the-server/Install-ssmtp.html

http://blog.th-neumeier.de/2011/02/send-email-on-ssh-login-using-pam/