I like this idea, but on busy release days don’t you find it a little noisy? I’ve never tried using ForceCommand - I’m guessing it would work the same for automated connections via ansible as it would for interactive use?
Also, I’d put the ssh-wrapper script somewhere like /usr/local/bin and make it writable only by root.
I’d almost be tempted to filter out automated connections so that only the rare/notable interactive logins are posted to Slack. But then maybe the gain of not desensitising the channel to regular harmless logins isn’t worth the risk of an attacker disguising their harmful interactive session as a regular deployment.
Because we use immutable infrastructure it works well. We are rarely making a lot of SSH connections to an active server, instead we deploy a new infrastructure and set this notification system up as the last step. I can definitely see how my system would be problematic on servers with a lot of automation happening regularly though.
Filtering out automated connections would be great. Or even just more specifically identifying the user in the notification (if possible).