Execute prelogin scripts for SSH
You can use PAM for this. The PAM configuration for the SSH service is in /etc/pam.d/sshd
. To run a command before anything in the login process, add something like:
auth [default=ignore] pam_exec.so /path/to/some/script
For example, if I use /usr/local/bin/foo.sh
containing:
#! /bin/sh
cat <<EOF >>/tmp/log
PAM_RHOST $PAM_RHOST
PAM_RUSER $PAM_RUSER
PAM_SERVICE $PAM_SERVICE
PAM_TTY $PAM_TTY
PAM_USER $PAM_USER
PAM_TYPE $PAM_TYPE
EOF
And then I do ssh muru@localhost
, I get:
$ cat /tmp/log
PAM_RHOST localhost
PAM_RUSER
PAM_SERVICE sshd
PAM_TTY ssh
PAM_USER muru
PAM_TYPE auth
This doesn't happen before the password prompt shows up, but auth
modules are the first ones run after the password is entered - they check whether the user is authenticated, after all:
authentication - authenticate a user and set up user credentials.
Typically this is via some challenge-response request that the user
must satisfy: if you are who you claim to be please enter your
password. Not all authentications are of this type, there exist
hardware based authentication schemes (such as the use of smart-cards
and biometric devices), with suitable modules, these may be substituted
seamlessly for more standard approaches to authentication - such is the
flexibility of Linux-PAM.
So, in effect, auth
modules run before login, and if the first auth
module is pam_exec
, that's pretty much the first thing to run.
Note the [default=ignore]
part - since auth
modules authenticate the user, we don't want the script's exit status to mean anything. default=ignore
tells PAM to ignore pam_exec
's return value, whatever it may be, which in turn depends on the script's exit status. See man pam.d
for more details.
Caveats:
- This doesn't run if the user just quit before entering any password.
- This doesn't run if the user provided an empty password (the default SSH configuration has
PermitEmptyPasswords no
, so SSH rejects those out of hand). - SSH needs to have
UsePAM yes
for it to use PAM.