SSH - run script or command at login

CaffeineFueled

2023/01/05

There a multiple use cases to run a script on login. Configuration, starting services, logging, sending a notification, and so on. I want to show you different ways to do so.

Example script

The example script will notify me via push notification on my smartphone as soon as a new SSH connection is established. You can use a simple command or a script, and I will use a script for this blog post.

/path/to/script/notify-at-login.sh

#!/bin/bash

# 1 - Script without output!
# IMPORTANT: Script with output break non-interactive sessions (scp, rsync, etc)

curl -d "\"$SSH_CONNECTION\" - \"$USER\" logged in" ntfy.sh/reallyecurestringfornotifications >/dev/null 2>&1

# If you only want to run the script for an interactive SSH login and need the output displayed, place the script right after section  2 and remove the redirect. 

# 2 - Check if session is non-interactive  (remote command, rsync, scp, etc)

if [[ $SSH_ORIGINAL_COMMAND ]]; then
    eval "$SSH_ORIGINAL_COMMAND"
    exit
fi

# 3 - choose your favorite shell for the SSH session

/bin/bash
Remember to make it executable:
sudo chmod +x /path/to/script/notify-at-login.sh

Side note: I am using ntfy to send push notifications to my smartphone. In this example, the push notification would look this:

92.160.50.201 40248 195.21.0.14 22 - <user> logged in

Output on non-interactive connections

Just a reminder that you have to avoid any output of your script or command on non-interactive connections like rsync. Either prevent output from being displayed for non-interactive connections or all connections. The example script shows you one way to do so.

ForceCommand

I prefer this method, and had been working pretty well so far. The user will run the command and it can’t really be avoided by the client.

Use the ForceCommand option in your /etc/ssh/sshd_config file to run the script:
ForceCommand /path/to/script/notify-at-login.sh

ForceCommand ignores any command or script supplied by the client and ~/.ssh/rc by default.

PAM_exec

Put the script into a new directory /etc/pam_scripts, set the directory’s permission to 0755 and the owner and group must be root. The files permissions are 0700, must be executable and the owner and group must be root as well.

Directory:
sudo mkdir /etc/pam_scripts
sudo chmod 0755 /etc/pam_scripts
sudo chown root:root /etc/pam_scripts
Script:
sudo chmod 0700 /etc/pam_scripts/notify-at-login.sh
sudo chown root:root /etc/pam_scripts/notify-at-login.sh
Enable UsePAM in the /etc/ssh/sshd_config:
UsePAM yes
Tell PAM to run the script at SSH login by adding the following line to etc/pam.d/sshd:
session required pam_exec.so /etc/pam_scripts/notify-at-login.sh

All scripts added to the /etc/pam_scripts/ directory will be run as root at login.

Shell startup & sshrc file

You can run the script by your preferred startup file (.profile / .bashrc, etc) or use the SSH-specific profiles that run additionally before the user shell is loaded.

For all users:
/etc/ssh/sshrc # runs only if there is no user-specific configuration file ~/.ssh/rc
Per user configuration in home dir:
~/.ssh/rc
     ~/.ssh/rc
             Commands in this file are executed by ssh when the user
             logs in, just before the user's shell (or command) is
             started.  See the sshd(8) manual page for more information.
Run the script via the startup file by adding the following line to it:
. /path/to/script/notify-at-login.sh

Both the shell startup and sshrc files will be run by the user.

Side note: if security is a concern - like a login notification - it is not recommended to use this method. Profile config files can be avoided by ssh user@server bash --norc --noprofile and ~/.ssh/rc can be changed by the user after the first login.




Most recent Articles:
  • Notice Board 003: Progress is Progress
  • How to: Cisco ISE backup to SFTP repository with public key authentication
  • Dummy IP & MAC Addresses for Documentation & Sanitization
  • Deploying ISSO Commenting System for Static Content using Docker
  • Generate a Vanity v3 Hidden Service Onion Address with mkp224o