I wanted to receive alert when logged into my OpenWrt router via SSH and this what I did.
OpenWrt uses lightweight Dropbear as SSH server by default but it needs to be compiled with PAM support to add alerts. Instead I'm replacing Dropbear with OpenSSH server.
I followed the official Replacing Dropbear by openssh-server wiki except the following changes.
authorized_keys
from /etc/dropbear
to ~/.ssh/
./etc/ssh/sshd_config
:PremitRootLogin yes
PubkeyAuthentication yes
UsePAM yes
Installed mosquitto-client-nossl for sending alerts.
I created the login-notify
script in /etc/ssh/
and made it executable.
#!/bin/sh
if [ "$PAM_TYPE" != "close_session" ]; then
message="{\"summary\":\"SSH Login\",\"body\":\"$PAM_USER from $PAM_RHOST on OpenWrt\"}"
mosquitto_pub -h 192.168.1.10 -m "$message" -t house/smartwatch
fi
If you prefer email to MQTT, Then you can use this script instead..
Added the following to /etc/pam.d/sshd
to trigger the login-notify script during SSH login via Linux Pluggable Authentication Module.
session optional pam_exec.so seteuid /etc/ssh/login-notify
I added /etc/ssh/login-notify
, /etc/ssh/sshd_config
, /etc/pam.d/sshd
under System -> Backup / Flash Firmware -> Configuration in LuCI to prevent it being removed during OpenWrt upgrades.
I have setup a smart clock to receive the MQTT message.
30-Nov-2021: Added more files to the whitelist as a precaution.
Out of respect for your attention and concern for your privacy I don't have advertisements or any tracking cookie.
Let's have an obligation free discussion on this content or other common interests over email while supporting The Tallest Dwarf to continue writing.
If you cannot make a monetary support, I understand; Please like and share this content in the platform of your choice to defeat their conformist algorithms.
Jarett has bought a Coffee for The Tallest Dwarf. Here are the other supporters.