feat(ssh,telnet): add non-root user account for privesc + enum lure
Real Linux deployments (especially Ubuntu cloud images) ship a non-
root admin user; honeypots that only accept root logins are a tell.
Add a second account on both SSH and Telnet decoys, configurable
via service_cfg keys `user` / `user_password`, defaulting to
`ubuntu` / `admin` so the lure is live on every fresh deploy.
* `decnet/services/{ssh,telnet}.py` — two new ServiceConfigFields
(`user` string, `user_password` secret) and matching env vars
(`SSH_USER` / `SSH_USER_PASSWORD`, mirror for telnet) propagated
via the compose fragment.
* `decnet/templates/ssh/entrypoint.sh` — runtime `useradd -m -s
/usr/libexec/login-session -G sudo "$SSH_USER"` so the new user
inherits the same sessrec pty-recording shell as root and lands
in the sudo group. Privesc attempts (`sudo`) flow through the
existing sudo-log capture; network-enum from the user's shell
rides the recorded transcript.
* `decnet/templates/telnet/entrypoint.sh` — same useradd pattern
(no sudo group — busybox+login telnet image has no sudo
package; privesc rides `su -` which itself flows through the
existing PAM auth-helper at /etc/pam.d/login).
* New tests for default + custom user / password + independence
from root password. Updated the schema-keys assertion to match
the four-field shape.
The new account is ALSO the natural home for the body-aware
predicates that were previously gated on root-only sessions —
attackers who land on `ubuntu@host` and run network-recon /
privesc commands now generate the same structured TTP-rule
events as root sessions did, captured via the same auth-helper
+ sessrec + sudo-log pipes.
This commit is contained in:
@@ -5,6 +5,26 @@ set -e
|
||||
ROOT_PASSWORD="${SSH_ROOT_PASSWORD:-admin}"
|
||||
echo "root:${ROOT_PASSWORD}" | chpasswd
|
||||
|
||||
# Non-root user — gives the decoy a realistic "ssh user@host" surface
|
||||
# so attackers running enumeration scripts find a plausible second
|
||||
# account, AND so post-login privesc (sudo) flows through the
|
||||
# existing sudo-log capture pipe. SSH_USER blank means "no second
|
||||
# user" (legacy single-account behaviour); the compose fragment
|
||||
# defaults SSH_USER to "ubuntu" so this branch is the live path on
|
||||
# fresh deploys.
|
||||
SSH_USER="${SSH_USER:-}"
|
||||
SSH_USER_PASSWORD="${SSH_USER_PASSWORD:-admin}"
|
||||
if [ -n "${SSH_USER}" ] && [ "${SSH_USER}" != "root" ]; then
|
||||
if ! id -u "${SSH_USER}" >/dev/null 2>&1; then
|
||||
# Login shell points at the same sessrec wrapper root uses,
|
||||
# so the new user's pty session is recorded — privesc and
|
||||
# network-enum behaviour ride the existing capture pipe
|
||||
# without a parallel implementation.
|
||||
useradd -m -s /usr/libexec/login-session -G sudo "${SSH_USER}"
|
||||
fi
|
||||
echo "${SSH_USER}:${SSH_USER_PASSWORD}" | chpasswd
|
||||
fi
|
||||
|
||||
# Optional: override hostname inside container
|
||||
if [ -n "$SSH_HOSTNAME" ]; then
|
||||
echo "$SSH_HOSTNAME" > /etc/hostname
|
||||
|
||||
Reference in New Issue
Block a user