Sending email notifications of SSH logins on a system

There are some setups where it's beneficial to get a notice of user logins on a system. Here's one way to do it.

Create /usr/local/sbin/notify-login-mail.sh:

#!/bin/sh
if [ "$PAM_TYPE" != "open_session" ]
then
  exit 0
else
  {
    echo "User: $PAM_USER"
    echo "Remote host: $PAM_RHOST"
    echo "Service: $PAM_SERVICE"
    echo "TTY: $PAM_TTY"
    echo "Date: `date`"
    echo "Server: `uname -a`"
  } | mail -s "$PAM_SERVICE login on `hostname -s` for account $PAM_USER" root
fi
exit 0

# chmod 500 /usr/local/sbin/notify-login-mail.sh

Append the execution trigger to certain files, e.g. /etc/pam.d/[sshd|su|sudo]:

session    optional     pam_exec.so /usr/local/sbin/notify-login-mail.sh

For example the following triggers the notification from SSH logins, and successful su's and sudo's:

echo "session    optional     pam_exec.so /usr/local/sbin/notify-login-mail.sh" >> /etc/pam.d/sshd 
echo "session    optional     pam_exec.so /usr/local/sbin/notify-login-mail.sh" >> /etc/pam.d/su
echo "session    optional     pam_exec.so /usr/local/sbin/notify-login-mail.sh" >> /etc/pam.d/sudo

Check that mail exists; if not, it's in the package mailx:

# yum install mailx

Check the root account mail has been sensibly forwarded (e.g. /etc/aliases). Ensure there's a local MTA installed.