Signal

Send encrypted notifications directly to Signal users.

Uses Ubuntu 18.04 Server Base Install.

Files

Signal Files

Location

Purpose

~/.local/share/signal-cli

Default location for private Signal keys for messaging

/data/signal/data

Location for service Signal keys for messaging

/data/signal/cli/bin

Signal binary

Updated: None

Server Setup

Download the Latest Release.

Install dependencies.

apt install default-jre

Create signal system user.

adduser --system --home /data/signal --shell /bin/false signal

Install dependencies and extract release.

tar xvf signal-cli-*.tar.gz -C /data/signal/cli
chmod go-rwx /data/signal
chown -R signal /data/signal

Link to Phone

The binary can be setup as the primary account however this will remove access from your phone (unless it is registered with a second number). It is better to link it to an existing account if you only have a single number instead. Access can be remotely disabled this way.

Generate link request (this will eventually timeout).

./signal-cli link -n {DEVICE NAME}

Note

This will generate a tsdevice:// URI. This needs to be copied as is to generate a scannable QR code.

Do not quit the process as it is pending approval. Once approved you will see the message Associated with: +{INTERNATIONAL PHONE NUMBER}.

Generate QR code on CLI and scan with phone to approve.

qrencode -t ansi256 'tsdevice:// ...'

Important

tsdevice must be quoted, otherwise an invalid QR code will be generated.

Send Test Message

Send a test message to ensure everything works then copy cofiguration keys for service.

Send test message.

./signal-cli -u +{INTERNATIONAL PHONE NUMBER} send -m "This is a test message" +{INTERNATIONAL PHONE NUMBER}

Note

You can actually send the message from and to the same number. It will be received in Signal as a Note to Self.

Copy configuration to service directory.

cp -av ~/.local/share/signal-cli/data /data/signal/
chmod go-rwx -R /data/signal
chown -R signal /data/signal

Warning

These files must be secured as any access to these credentials will allow messages to be sent as you.

Access can be disabled in the Signal App at any time.

Send SSH Login Notification

Enables Signal messaging when a user logs into the system via SSH.

Script will only send notifications on opening SSH connections.

0700 signal signal /data/signal/ssh-signal-notify

#!/bin/bash
if [ ${PAM_TYPE} = "open_session" ]; then
  DATE_EXEC="$(date "+%F %H:%M:%S")"
  HOSTNAME=$(hostname -f)
  HOST_IP=$(hostname -I | awk '{print $1}')
  TEXT="$DATE_EXEC: ${PAM_USER}@${PAM_RHOST} logged in to $HOSTNAME ($HOST_IP)."
  su - signal -c /data/signal/cli/bin/signal-cli --config /data/signal -u +{INTERNATIONAL PHONE NUMBER} send -m "$TEXT" +{INTERNATIONAL PHONE NUMBER} &
fi
exit 0

0644 root root /etc/pam.d/sshd

## Add at end of file.
# Alert successful logins via signal.
session    optional    pam_exec.so seteuid /data/signal/ssh-signal-notify

Note

pam_exec will not have user environment variables by default. See pam_exec reference for environment variables. Enabling user environment variables is dangerous.

Enable debug and check /var/log/auth.log if notification does not fire. Any errors with optional scripts are generally dropped sliently.

References

1. PAM Reference

2. Signal CLI Reference

3. Signal CLI Docker

4. SSH Login Notifications with Signal

5. pam_exec Reference

6. Run sshd login script one