#!/bin/bash

[[ "$PAM_TYPE" != "open_session" ]] && exit 0

if journalctl --since "1 minute ago" -u ssh | tac | grep Accepted -m1 | grep password; then
    {
        echo "User: $PAM_USER"
        echo "Remote Host: $PAM_RHOST"
        echo "Service: $PAM_SERVICE"
        echo "TTY: $PAM_TTY"
        echo "Date: $(date)"
        echo "Server: $(uname -a)"
        echo
        echo "Somebody has successfully logged in your machine, please be aware and acknowledge this event."
    } | mail -s "$PAM_SERVICE login on $(hostname -f) for account $PAM_USER" root
fi
exit 0