The Tallest Dwarf

RSSEmailMastodonNewsletterTwitterGitHubDribbbleLinkedInFacebookInstagramYouTubePinterestReddit icon

OpenWrt login alert

Posted at — Oct 5, 2021 by Abishek Muthian

I wanted to receive alert when logged into my OpenWrt router via SSH and this what I did.

Replace Dropbear with OpenSSH-server

OpenWrt uses lightweight Dropbear as SSH server by default but it needs to be compiled with PAM support to add alerts. Instead I'm replacing Dropbear with OpenSSH server.

I followed the official Replacing Dropbear by openssh-server wiki except the following changes.

Install MQTT client

Installed mosquitto-client-nossl for sending alerts.

Create login-notify

I created the login-notify script in /etc/ssh/ and made it executable.

if [ "$PAM_TYPE" != "close_session" ]; then
    message="{\"summary\":\"SSH Login\",\"body\":\"$PAM_USER from $PAM_RHOST on OpenWrt\"}" 
    mosquitto_pub -h -m "$message" -t house/smartwatch

If you prefer email to MQTT, Then you can use this script instead..

Triggering login-notify on SSH login

Added the following to /etc/pam.d/sshd to trigger the login-notify script during SSH login via Linux Pluggable Authentication Module.

session optional seteuid /etc/ssh/login-notify

Whitelist login-notify to survive upgrades

I added /etc/ssh/login-notify, /etc/ssh/sshd_config, /etc/pam.d/sshd under System -> Backup / Flash Firmware -> Configuration in LuCI to prevent it being removed during OpenWrt upgrades.

Receiving the MQTT Message

I have setup a smart clock to receive the MQTT message.

Smart Clock with AsteroidOS
Smart clock on the desk for those high severity notifications

Change log

30-Nov-2021: Added more files to the whitelist as a precaution.


I strive to write low frequency, High quality content on Health, Product Development, Programming, Software Engineering, DIY, Security, Philosophy and other interests. If you would like to receive them in your email inbox then please consider subscribing to my Newsletter.