I wanted to receive alert when logged into my OpenWrt router via SSH and this what I did.

Replace Dropbear with OpenSSH-server

OpenWrt uses lightweight Dropbear as SSH server by default but it needs to be compiled with PAM support to add alerts. Instead I'm replacing Dropbear with OpenSSH server.

I followed the official Replacing Dropbear by openssh-server wiki except the following changes.

• Instead of openssh-server, I installed openssh-server-pam package.
• Copied authorized_keys from /etc/dropbear to ~/.ssh/.
• Made the following changes to /etc/ssh/sshd_config:

  PremitRootLogin yes
  PubkeyAuthentication yes
  UsePAM yes
  

Install MQTT client

Installed mosquitto-client-nossl for sending alerts.

Create login-notify

I created the login-notify script in /etc/ssh/ and made it executable.

#!/bin/sh
                                       
if [ "$PAM_TYPE" != "close_session" ]; then
    message="{\"summary\":\"SSH Login\",\"body\":\"$PAM_USER from $PAM_RHOST on OpenWrt\"}" 
    mosquitto_pub -h 192.168.1.10 -m "$message" -t house/smartwatch
fi

If you prefer email to MQTT, Then you can use this script instead..

Triggering login-notify on SSH login

Added the following to /etc/pam.d/sshd to trigger the login-notify script during SSH login via Linux Pluggable Authentication Module.

session optional pam_exec.so seteuid /etc/ssh/login-notify

Whitelist login-notify to survive upgrades

I added /etc/ssh/login-notify, /etc/ssh/sshd_config, /etc/pam.d/sshd under System -> Backup / Flash Firmware -> Configuration in LuCI to prevent it being removed during OpenWrt upgrades.

Receiving the MQTT Message

I have setup a smart clock to receive the MQTT message.

Change log

30-Nov-2021: Added more files to the whitelist as a precaution.