SSH Login Notification on Signal Leveraging Linux PAM

This post describes how SSH login notifications can be sent to Signal leveraging signal-cli [4] and the Linux pam_exec module [2].

There are many posts on the internet that demonstrate the similar process to send messages on Telegram. For example, [3].

It is possible that you compile signal-cli on a host that doesn’t have a recent version of OpenJDK [5] - for example on a Debian operating system. If that’s the case, then download the recommended JDK version. Configure the JAVA_HOME environment variable to point to the location of the JDK you just downloaded and you are good to go.

Assuming you call signal-cli through a bash script that is located in /path/to/the/script, you set up the PAM SSH configuration in this way (/etc/pam.d/ssh):

session option pam_exec.so /path/to/the/script

The signal-cli will need the same JDK environment that was used to compile it, otherwise there will be errors. If the bash script uses environment variables to set the JAVA_HOME or the PATH environment this won’t work. Instead, the PAM module pam_env (/etc/security/pam_env.conf) should be used to set the environment for PAM. Such as:

JAVA_HOME=/path/to/JDK
PATH=JAVA_HOME/bin:PATH

References

[1]: https://linux.die.net/man/8/pam_env

[2]: https://linux.die.net/man/8/pam_exec

[3]: https://8192.one/post/ssh_login_notification_withtelegram/

[4]: https://github.com/AsamK/signal-cli/

[5]: https://openjdk.org