SSHrc and telegram apis


The root cause

While casually chatting with a colleague, he told me about the sshrc feature of sshd. He explained to me that he was using telegram’s API to get ssh login notifications on his phone. My first thought was “Yeah, sure, but it’s just a .rc file (custom settings), it’s usually quite easy to bypass with the right option…

While saying that, I had in mind the trick with bash --noprofile --norc that can allow a new bash process to be spawned without using any configuration file. I had to use that two years ago when I… F*cked up my own .bashrc and couldn’t use bash anymore, at that time I wasn’t aware of the real sh or other alternative shells.

After some reading, I found out that :

Man ssh

  • Commands in this file are executed by ssh when the user logs in, just before the user’s shell (or command) is started. See the sshd(8) manual page for more information.

Man sshd

  • Similar to $HOME/.ssh/rc. This can be used to specify machine-specific login-time initializations globally. This file should be writable only by root, and should be world-readable.

Random stackexchange user #SoItMustBeTrue

  • It’s a security feature: the ~/.ssh/rc file may do things that the client must not be able to bypass (although that’s not a common use).

Telegram API

Ok, so we’re good sshd-wise. Now let’s read some doc !
It’s pretty well written, what one can do and how.
Create the bot, get the api key, chat id, say hi to the.. BotFather?! Pretty uncommon, I like that!

https://core.telegram.org/bots

botfather

Content of /etc/ssh/sshrc

#!/bin/bash
bash /etc/ssh/ssh_notifier.sh &

Pretty simple : “Please execute that ssh_notifier script. “

Content of /etc/ssh/ssh_notifier.sh

#!/bin/bash

TOKEN=<CENSORED_BOT_ID>:<CENSORED_TOKEN>
CHAT_ID=<CENSORED_CHAT_ID>
DATE=$(date | cut -d, -f1 | tr "\n" " " && curl -s https://www.worldtimeserver.com/time-zones/cet/ | grep --color=never -oE "[0-9]{2}:[0-9]{2}:[0-9]{2}" | tail -n 1)
HOST=$(hostname)
MESSAGE="New ssh connection :
 - $DATE by $USER@$HOST
 - $SSH_CONNECTION"
URL="https://api.telegram.org/bot$TOKEN/sendMessage"

curl -s -X POST $URL -d chat_id="$CHAT_ID" -d text="$MESSAGE" &>/dev/null

A bit less tivial, an short bash script that gets some useful informations about the new logged in used, who, when, from where, etc…

telegram_notifications

And Voilà, you now have your free and real-time notification forwarder!

PS1: If you wonder why I used worldtimeserver instead of NTP or my local time, here’s why : I’m just lazy af, it was fast and easy so it’s the path I took ! =]

PS2: Yeah, I enabled root login on my bounce, because it’s a kali image and I was ALSO too lazy to setup a new user. Wanna fight about it ? Sure !

while read argument; 
do
  unset $argument;
done

Seeya ! ;)

A linux caca story
comments powered by Disqus