Tag Archives: SSH
Guacamole cannot connect via SSH – FIX
If you get “SSH handshake failed” when trying to use Guacamole to connect to Ubuntu via SSH, you need to use a workaround:
In the meantime a workaround is adding “HostKeyAlgorithms +ssh-rsa” to the end of /etc/ssh/sshd_config on the Ubuntu machine and restart sshd. Note: I don’t have an understanding of the security implications of this, so use at your own risk
The solution was posted here:
https://www.reddit.com/r/linuxquestions/comments/ued2vq/comment/i736why/?utm_source=share&utm_medium=web2x&context=3
How do I set up an email alert when a ssh login is successful?
Original: https://askubuntu.com/questions/179889/how-do-i-set-up-an-email-alert-when-a-ssh-login-is-successful
Since the sshrc
method doesn’t work if the user has their own ~/.ssh/rc
file, I’ll explain how to do this with pam_exec
as @adosaiguas suggested. The good thing is that this can also be easily adapted to login types other than ssh
(such as local logins or even all logins) by hooking into a different file in /etc/pam.d/
.
First you need to be able to send mail from the command line. There are other questions about this. On a mail server it’s probably easiest to install mailx
(which is probably already installed anyway).
Then you need an executable script file login-notify.sh
(I put it in /etc/ssh/
for example) with the following content. You can change the variables to change the subject and content of the e-mail notification. Don’t forget to execute chmod +x login-notify.sh
to make it executable.
#!/bin/sh
# Change these two lines:
sender="sender-address@example.com"
recepient="notify-address@example.org"
if [ "$PAM_TYPE" != "close_session" ]; then
host="`hostname`"
subject="SSH Login: $PAM_USER from $PAM_RHOST on $host"
# Message to send, e.g. the current environment variables.
message="`env`"
echo "$message" | mailx -r "$sender" -s "$subject" "$recepient"
fi
Once you have that, you can add the following line to /etc/pam.d/sshd
:
session optional pam_exec.so seteuid /path/to/login-notify.sh
For testing purposes, the module is included as optional
, so that you can still log in if the execution fails. After you made sure that it works, you can change optional
to required
. Then login won’t be possible unless the execution of your hook script is successful (if that is what you want).
For those of you in need of an explanation of what PAM is and how it works, here is a very good one.
Just make sure you have UsePAM
set to yes
in your sshd_config
And this is how to use Pushover API for alerts instead of email:
#!/bin/sh
# This script monitors /var/log/auth.log for SSH logins
# and sends a notification via Pushover when one is
# detected.
# Need to wait a bit before actually starting this script
sleep 90 # sleeps for 90 seconds
# Pushover
PUSHOVER_TITLE="FreeNAS SSH Login" # This is the title for each message.
APITOKEN=******
USERKEY=******
# Log
LOG=/mnt/Tank/sshNotify.log
/bin/date > $LOG
echo "PID: $$" >> $LOG
# Priority: -2 to generate no notification/alert
# -1 to always send as a quiet notification
# 0 to use the default priority
# 1 to display as high-priority and bypass the user's quiet hours
# 2 to also require confirmation from the user.
# Note: For priority 2, the retry and expire parameters
# must also be supplied.
# Monitoring loop
echo "Script running." >> $LOG
/usr/bin/tail -Fn0 /var/log/auth.log | \
while read line ; do
echo "$line" | grep -q " Accepted publickey for "
if [ $? = 0 ] ; then
TS=$(date +%s)
USER=$(echo "$line" | cut -d':' -f4 | cut -d' ' -f5)
IP=$(echo "$line" | cut -d':' -f4 | cut -d' ' -f7)
/usr/local/bin/curl https://api.pushover.net/1/messages.json -d "token=${APITOKEN}&user=${USERKEY}&title=${PUSHOVER_TITLE}&message=User: ${USER} IP: ${IP}×tamp=${TS}&priority=-1"
fi
done
echo "Script finished, will now exit." >> $LOG
/bin/date >> $LOG
exit 0
If using this with FreeNAS run the script by creating an entry under Tasks –> Init/Shutdown Scripts. The fields are:
Type: Command
Command: /bin/sh /mnt/Tank/sshNotify.sh &
When: postinit
Check log file for interactive SSH logins
# failed attempt
grep sshd.\*Failed /var/log/auth.log | less
# successful attempts
grep sshd.\*Accepted /var/log/auth.log | less
VMware ESXi
Step 1. Connect to ESXi console and press the Alt+F1 key combination.
Step 2. Type unsupported and then press . Note that nothing will appear on the screen whilst you type this.
Step 3. When prompted enter in the Root password and press.
Step 4. You will now be presented with a prompt on the console. From this prompt type vi /etc/inetd.conf
Step 5. vi (the file editor) has now opened the inetd.conf file. Using the direction arrows scroll through the lines until you reach the line that has #ssh and remove the hash (ie: #). This is effectively un-commenting this line so that the ssh service can be started.
Step 6. Now that you have made this minor file you want to save this change and exit out of the editor (vi). To do this press the ESC key (to put vi back into Command Mode) and then type :wq *Note: If you want to exit without saving any changes to the file then just press the ESC key (Command Mode) and then type :q!.
Step 7. With the SSH service now un-commented from this file we want to restart the