Original: https://askubuntu.com/questions/179889/how-do-i-set-up-an-email-alert-when-a-ssh-login-is-successful

Since the sshrc method doesn’t work if the user has their own ~/.ssh/rc file, I’ll explain how to do this with pam_exec as @adosaiguas suggested. The good thing is that this can also be easily adapted to login types other than ssh (such as local logins or even all logins) by hooking into a different file in /etc/pam.d/.

First you need to be able to send mail from the command line. There are other questions about this. On a mail server it’s probably easiest to install mailx (which is probably already installed anyway).

Then you need an executable script file login-notify.sh (I put it in /etc/ssh/ for example) with the following content. You can change the variables to change the subject and content of the e-mail notification. Don’t forget to execute chmod +x login-notify.sh to make it executable.

#!/bin/sh

# Change these two lines:
sender="sender-address@example.com"
recepient="notify-address@example.org"

if [ "$PAM_TYPE" != "close_session" ]; then
    host="`hostname`"
    subject="SSH Login: $PAM_USER from $PAM_RHOST on $host"
    # Message to send, e.g. the current environment variables.
    message="`env`"
    echo "$message" | mailx -r "$sender" -s "$subject" "$recepient"
fi

Once you have that, you can add the following line to /etc/pam.d/sshd:

session optional pam_exec.so seteuid /path/to/login-notify.sh

For testing purposes, the module is included as optional, so that you can still log in if the execution fails. After you made sure that it works, you can change optional to required. Then login won’t be possible unless the execution of your hook script is successful (if that is what you want).

For those of you in need of an explanation of what PAM is and how it works, here is a very good one.

Just make sure you have UsePAM set to yes in your sshd_config

And this is how to use Pushover API for alerts instead of email:

#!/bin/sh

# This script monitors /var/log/auth.log for SSH logins
# and sends a notification via Pushover when one is
# detected.

# Need to wait a bit before actually starting this script
sleep 90 # sleeps for 90 seconds

# Pushover
PUSHOVER_TITLE="FreeNAS SSH Login" # This is the title for each message.
APITOKEN=******
USERKEY=******

# Log
LOG=/mnt/Tank/sshNotify.log
/bin/date > $LOG
echo "PID: $$" >> $LOG

# Priority:   -2 to generate no notification/alert
#             -1 to always send as a quiet notification
#              0 to use the default priority
#              1 to display as high-priority and bypass the user's quiet hours
#              2 to also require confirmation from the user.
#                Note: For priority 2, the retry and expire parameters
#                      must also be supplied.

# Monitoring loop

echo "Script running." >> $LOG
/usr/bin/tail -Fn0 /var/log/auth.log | \
while read line ; do
    echo "$line" | grep -q " Accepted publickey for "
    if [ $? = 0 ] ; then
        TS=$(date +%s)
        USER=$(echo "$line" | cut -d':' -f4 | cut -d' ' -f5)
        IP=$(echo "$line" | cut -d':' -f4 | cut -d' ' -f7)
        /usr/local/bin/curl https://api.pushover.net/1/messages.json -d "token=${APITOKEN}&user=${USERKEY}&title=${PUSHOVER_TITLE}&message=User: ${USER}   IP: ${IP}&timestamp=${TS}&priority=-1"
    fi
done

echo "Script finished, will now exit." >> $LOG
/bin/date >> $LOG
exit 0

If using this with FreeNAS run the script by creating an entry under Tasks –> Init/Shutdown Scripts. The fields are:

Type: Command
Command: /bin/sh /mnt/Tank/sshNotify.sh &
When: postinit