Push notifications for Linux logins

Push notifications for Linux logins

4 min read

An easy walkthrough on enabling instant push notifications for logins and logouts on a Linux system with Pushover. You will need a Pushover account. Pushover is a proprietary service for smartphones, with a single-time purchase application which includes a generous free quota (never ever surpassed the “free” limits for any of my personal projects, and I receive sometimes more than 20 notifications per day). Register for a free account here.

Create your Pushover applications

To send notifications through Pushover you will need:

  • Your user key (or the token of the user or group of users you want to send these notifications to).
  • An application token, which specifies a basic set of settings and appearance of these notifications. The application token is the one responsible for your monthly quota.

Your user key

You can find your user token in the Pushover homepage, after logging in.

User key

Your application token

If you don’t already have one, go ahead and create a new Pushover application. You will want to create two: One for logins and one for logouts. The reason for this is so each application has a different icon.

Application token

You can download the icons I created for my Pushover applications. If you repost them somewhere, I’d love to know and be able to take a look, but it’s not a hard requirement.

alert

info

warning

The three above images are licensed under CC BY 4.0.

License: CC BY 4.0

I personally use the red one for root logins, the yellow one for non-root logins, and the blue one for logouts.

PAM Module

In the folder /etc/pam.d there are a few files. Each file has a specific purpose and is read by Linux depending on how you login. Logging into SSH, a TTY, or getting sudo privileges are different processes, so each time you log in, a different file is read that tells Linux how to act, where to read the credentials from, and how to accept or reject the login. The manual has more information on how PAM works.

Add the following line at the end of the file /etc/pam.d/common-session.

session optional       pam_exec.so /usr/local/bin/login-notification-pushover.bash

This will create a hook in PAM (Pluggable Authentication Module, which is what Linux uses to keep track of logins, user passwords, user permissions and so on. Specifically, the common-session file is read on any interactive session. That means this script will get triggered whenever a human interacts with the system, either through SSH, a TTY, or even using sudo. I haven’t tested this, but in theory this should also work for workstations with a GUI: Once a user logs into their desktop, a notification will be dispatched.

Then, the optional flag means that the return result of the script is not checked. This is especially important if you ever lose Internet connectivity and the system is unable to send a notification (for example, on machines connected through WiFi, laptops, or smartphones on cell service). This, however, can be changed to requisite for increased security, but keep in mind logins will be denied if the machine has no Internet connectivity. This includes local console logins or desktop logins.

The notification script

Now, let’s create the notification script. I used /usr/local/bin/login-notification-pushover.bash but you can place it wherever you want as long as it’s the same place you specified in the PAM file above.

These are the contents:


#!/usr/bin/env bash

trap ctrl_c INT
function ctrl_c()
{
        printf "trapped Ctrl+C"
}

if [[ "$PAM_TYPE" = "close_session" ]]; then
        export PUSHOVER_TYPE="closed"
        PUSHOVER_APP_TOKEN="TOKEN1"
        PUSHOVER_PRIORITY="-1"
elif [[ "$PAM_TYPE" = "open_session" ]]; then
        export PUSHOVER_TYPE="opened"
        PUSHOVER_APP_TOKEN="TOKEN2"
        PUSHOVER_PRIORITY="0"
else
        exit 0
fi

if [[ -z "$PAM_RHOST" ]]; then
        PAM_RHOST="localhost"
fi

DATE=$(date)

### PUSHOVER SETTINGS ###
PUSHOVER_URL="https://api.pushover.net/1/messages.json"
PUSHOVER_USER_TOKEN="USERTOKEN"

PUSHOVER_TITLE="$HOSTNAME session notification"
PUSHOVER_MESSAGE="User <b>$PAM_USER</b> $PUSHOVER_TYPE a session from <b>$PAM_RHOST</b> through <b>$PAM_SERVICE</b> at <i>$DATE</i>."
PUSHOVER_HTML="1"
PUSHOVER_SOUND="intermission"

if [[ "$PAM_USER" == "root" ]]; then
        PUSHOVER_PRIORITY="1"
        PUSHOVER_SOUND="siren"
        #PUSHOVER_USER_TOKEN="ONLYROOTTOKEN"
fi

#if [[ "$PAM_USER" == "john" ]]; then
        #PUSHOVER_USER_TOKEN="ONLYUSERTOKEN"
#fi

### ENDOF PUSHOVER SETTINGS ###

curl -s --data token=$PUSHOVER_APP_TOKEN --data user=$PUSHOVER_USER_TOKEN --data-urlencode title="$PUSHOVER_TITLE" --data priority=$PUSHOVER_PRIORITY --data-urlencode message="$PUSHOVER_MESSAGE" --data html=$PUSHOVER_HTML --data sound=$PUSHOVER_SOUND $PUSHOVER_URL > /dev/null 2>&1 &

This script is licensed under the Apache License 2.0.

License

A few things to note:

  • It is necessary to change the following:
    • TOKEN1 is the application token for logouts. Replace it with yours.
    • TOKEN2 is the application token for logins. Replace it with yours.
    • USERTOKEN is your user key. You can also specify a delivery group here.
    • Uncomment and edit the lines near the end if you want to send root login notifications to a different set of users. You can also uncomment the line with the john user (and replace that with the user to target) to send notifications of a specific Linux user to a specific Pushover user key.
  • As is, this script will send notifications for both logins and logouts. With two different Pushover applications created in the first step.
  • The script will intercept Ctrl+C keypresses which, in normal situations, would abort it and cause it not to send a notification.

Result

If everything went smoothly, it should look somehing similar to this:

iOS notifications