Execute program each time somebody logs in via SSH into a Linux box
I have a small SSH server, and I'd like to write a script to run each time somebody logs in via SSH.
Now, how would I go about that?
I'd like the script to run everytime ANYBODY logs in, and I need to have access to at least the username of the person who logged in, and the IP address the person logged in from.
I thought about using /etc/bash.bashrc
, but is that a good solution? For instance, is there a way a user could disable its use, and thus disable my script? If yes, what are my other options?
Thanks.
Solution 1:
The mechanism to use depends upon your goals.
If you wish to provide something convenient or friendly for your users, then your /etc/profile
is reasonable enough if all your users use the same shell. If you want the commands to execute only when logging in via ssh
, place commands into /etc/ssh/sshrc
. (If you don't mind users overriding the commands with their own ~/.ssh/rc
file.)
If you want to force a user to execute one program, and only one program, then the ForceCommand
option as described by DigitalRoss is a good approach. (I personally would further confine the user with a mandatory access control system such as AppArmor, SELinux, TOMOYO, or SMACK, to ensure the program can not allow a user to escape. I've worked on AppArmor for ten years, so that's the tool I'd pick first, but the others are fine tools written by excellent programmers.)
If you just want one program to execute and not bother the user in any way, then the best approach is to use the pam_exec(8)
module, which cannot be bypassed, works regardless of shell, and provides easy ability to run as the user or as the user account of the program performing the authorization. The manpage gives the following example:
Add the following line to /etc/pam.d/passwd to rebuild the
NIS database after each local password change:
passwd optional pam_exec.so seteuid make -C /var/yp
This will execute the command
make -C /var/yp
with effective user ID.
This could be extended to run on auth
, account
, password
, and session
actions; probably session
would be best for executing upon log in. Just add a line like:
session optional pam_exec.so log=/var/log/ssh_login_cmd /usr/local/bin/ssh_cmd
to your /etc/pam.d/sshd
control file.
Solution 2:
Newish versions of OpenSSH have a server feature called ForceCommand that gives control to a script instead of the operation (scp, ssh, ...) that the user intended. The script is passed the original command, so you could probably chain to it after doing whatever you need to do.
From sshd_config(5):
ForceCommand
Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment vari- able. Specifying a command of ``internal-sftp'' will force the use of an in-process sftp server that requires no support files when used with ChrootDirectory.
I used this once to override scp and provide secure gem upload without giving every user authorized to upload gems interactive access they didn't need or want.
Solution 3:
One way would be to use syslog-ng as a syslog daemon and configure it to run a script background every time a certain log entry (such as a successful ssh login) matches.