SSH Login Notification on Signal Leveraging Linux PAM

This post describes how SSH login notifications can be sent to Signal leveraging signal-cli [4] and the Linux pam_exec module [2].

There are many posts on the internet that demonstrate the similar process to send messages on Telegram. For example, [3].

It is possible that you compile signal-cli on a host that doesn’t have a recent version of OpenJDK [5] - for example on a Debian operating system. If that’s the case, then download the recommended JDK version. Configure the JAVA_HOME environment variable to point to the location of the JDK you just downloaded and you are good to go.

Assuming you call signal-cli through a bash script that is located in /path/to/the/script, you set up the PAM SSH configuration in this way (/etc/pam.d/ssh):

session option /path/to/the/script

The signal-cli will need the same JDK environment that was used to compile it, otherwise there will be errors. If the bash script uses environment variables to set the JAVA_HOME or the PATH environment this won’t work. Instead, the PAM module pam_env (/etc/security/pam_env.conf) should be used to set the environment for PAM. Such as: