Perform action when user logs in via SSH from a particular host

Question

I have a quesiton that puzzles me and I wonder if anyone has attempted to achieve the following:

Let's assume that this is the result of my 'last' command in a Linux environment:

root  pts/1        192.168.1.10      Wed Feb 10 07:04 - 07:57  (00:52)  
root  pts/2                          Tue Feb  9 22:00 - 00:13  (02:13)   

How can I setup a particular action (say for example a modified MOTD or sending an email) if the the 'root' user has logged in from 192.168.1.10. Is there a way of capturing this information?

The second part of this question is that how can I make the above check a bit more robust - i.e. if I have the following:

mary  pts/1        192.168.1.10      Wed Feb 10 07:04 - 07:57  (00:52)  
bob   pts/2                          Tue Feb  9 22:00 - 00:13  (02:13)      

Now I'd like to perform an action if the username is equal to 'mary' and the host is 192.168.1.10.

Any suggestions are welcomed.

Thank you in advance.

Answer 1

There's a special file /etc/ssh/sshrc where you can put some commands that will runs each time someone connect by ssh. I wrote that for you :

#!/bin/bash

mail=user@domain.tld
monitored_user=root
monitored_ip=x.x.x.x

hostname=$(hostname)

# add a welcome message:
printf >&2 "\nWelcome on $hostname $USER\n"

read -d " " ip <<< $SSH_CONNECTION

[[ $ip == $monitored_ip && $USER == $monitored_user ]] || exit 0

date=$(date "+%d.%m.%Y %Hh%M")
reverse=$(dig -x $ip +short)

mail -s "Connexion of $USER on $hostname" $mail <<EOF

IP: $ip
Reverse: $reverse
Date: $date
EOF

Put this script in a file, then put the full path of the script in /etc/ssh/sshrc

In man ssh :

/etc/ssh/sshrc : Commands in this file are executed by ssh when the user logs in, just before the user's shell (or command) is started. See the sshd(8) manual page for more information.

Answer 2

Thanks for all your replies. Eventually I managed to find a solution which does work for the time being but it does have one flaw which I'll point out in a minute.

I have added the following to my /etc/bashrc file (or /etc/bash.bashrc whatever environment you're using):

HOST="192.168.0.1"
RHOST=`who am i | sed -n 's/.*(\([^) ]*\).*/\1/p; 1q'`
if [ "$RHOST" == "$HOST" ]; then
        echo "SAY WHAT!"
        #add further actions here if needed
fi

The flaw that I was talking about before may actually not be a flaw. If you're already SSH-ed into the system, and you want to SSH to a host which lives on the same IP, say ssh root@your-host who am i would then print 'your-host' but I think that's the way it should be.

Needless to say that the above sed statement can be modified so you can capture the username as well, and you can extend the if/else statement to suite your needs.

Thank you again for all your replies.

Answer 3

You can add something to /etc/profile or equivalent that does something depending on the value of $SSH_CLIENT.

Answer 4

It looks like you are using last because it reads /var/log/wtmp by default which is a record of logins. The who command also allows you to read the same file but with an interface more to your needs.

For example:

$ who --ips /var/log/wtmp | grep '^msw.*127.0.0.1'
msw      pts/2        2012-10-07 15:52 127.0.0.1
msw      pts/3        2012-10-07 15:55 127.0.0.1

where neither of those sessions were active, but rather historic and logged.

Answer 5

In ubuntu i put a script in

/etc/profile.d

and when someone(user ssh) log in, it send an email to my mail

#/etc/profile.d/run_on_loggin.sh
echo $(who i am) | mail -s 'SSH Login Notification' mymail@hotmail.com

I want to create a php file with smtp, to send email with my mail to me... some times hotmail saved in spam...

if i have the php file i will run like this...

if i want to pass var to file php run like this...

excuse my english :3

note: i think this command run from user, be carefully if the user doen't has permission to use some command or send email.

Answer 6

One way would be to run a simple script periodically:

#!/bin/bash
users=$(last | sed -ne '/192\.168\.1\.10/ s/\([^ ]*\).*/\1/p')
for user in $users; do
    sendmail "$user" < email.txt
done

This would pipe the last command into sed to extract a user list and save it into the variable $users. The sed command uses the -n flag so it only prints what we tell it to. First, we select lines that contain the specified IP, with the /192\.168\.1\.10/ "address". On those lines, we attempt to extract the characters before a space, and if we succeed we print the result.

Then, we can loop through the $users variable and act accordingly.

One way to call this repeatedly would be through cron, and a simpler way would be to do while true; do ./my_script.bash; sleep 60; done.