feat(ssh,telnet): add non-root user account for privesc + enum lure

Real Linux deployments (especially Ubuntu cloud images) ship a non-
root admin user; honeypots that only accept root logins are a tell.
Add a second account on both SSH and Telnet decoys, configurable
via service_cfg keys `user` / `user_password`, defaulting to
`ubuntu` / `admin` so the lure is live on every fresh deploy.

* `decnet/services/{ssh,telnet}.py` — two new ServiceConfigFields
  (`user` string, `user_password` secret) and matching env vars
  (`SSH_USER` / `SSH_USER_PASSWORD`, mirror for telnet) propagated
  via the compose fragment.
* `decnet/templates/ssh/entrypoint.sh` — runtime `useradd -m -s
  /usr/libexec/login-session -G sudo "$SSH_USER"` so the new user
  inherits the same sessrec pty-recording shell as root and lands
  in the sudo group. Privesc attempts (`sudo`) flow through the
  existing sudo-log capture; network-enum from the user's shell
  rides the recorded transcript.
* `decnet/templates/telnet/entrypoint.sh` — same useradd pattern
  (no sudo group — busybox+login telnet image has no sudo
  package; privesc rides `su -` which itself flows through the
  existing PAM auth-helper at /etc/pam.d/login).
* New tests for default + custom user / password + independence
  from root password. Updated the schema-keys assertion to match
  the four-field shape.

The new account is ALSO the natural home for the body-aware
predicates that were previously gated on root-only sessions —
attackers who land on `ubuntu@host` and run network-recon /
privesc commands now generate the same structured TTP-rule
events as root sessions did, captured via the same auth-helper
+ sessrec + sudo-log pipes.

tests/services/test_config_schema.py

@@ -96,10 +96,10 @@ def test_field_to_json_omits_unused_enum():
 
 
 def test_ssh_schema_keys_match_compose_reads():
-    # SSHService.compose_fragment reads cfg.get("password") and cfg.get("hostname")
-    # — the schema must expose exactly those.
+    # SSHService.compose_fragment reads password / user / user_password /
+    # hostname — the schema must expose exactly those.
     keys = {f.key for f in SSHService.config_schema}
-    assert keys == {"password", "hostname"}
+    assert keys == {"password", "user", "user_password", "hostname"}
 
 
 def test_ssh_compose_round_trip_through_validator():
@@ -144,16 +144,33 @@ def test_https_schema_includes_tls_fields():
 
 
 def test_telnet_schema_keys_match_compose_reads():
-    assert {f.key for f in TelnetService.config_schema} == {"password", "hostname"}
+    assert {f.key for f in TelnetService.config_schema} == {
+        "password", "user", "user_password", "hostname",
+    }
 
 
 def test_telnet_compose_round_trip():
     svc = TelnetService()
-    cfg = svc.validate_cfg({"password": "hunter2", "hostname": "mail-01"})
+    cfg = svc.validate_cfg({
+        "password": "hunter2", "hostname": "mail-01",
+        "user": "deploy", "user_password": "Tr0ub4dor",
+    })
     frag = svc.compose_fragment("decky-test", service_cfg=cfg)
     env = frag["environment"]
     assert env["TELNET_ROOT_PASSWORD"] == "hunter2"
     assert env["TELNET_HOSTNAME"] == "mail-01"
+    assert env["TELNET_USER"] == "deploy"
+    assert env["TELNET_USER_PASSWORD"] == "Tr0ub4dor"
+
+
+def test_telnet_default_non_root_user():
+    """Defaults to ubuntu/admin so a fresh decoy lures `telnet
+    ubuntu@host` enumeration scripts without operator setup."""
+    svc = TelnetService()
+    frag = svc.compose_fragment("decky-test", service_cfg={})
+    env = frag["environment"]
+    assert env["TELNET_USER"] == "ubuntu"
+    assert env["TELNET_USER_PASSWORD"] == "admin"
 
 
 def test_rdp_schema_matches_and_bool_coerces():

tests/services/test_ssh.py

@@ -123,6 +123,36 @@ def test_no_log_target_in_env():
     assert "LOG_TARGET" not in _fragment(log_target="10.0.0.1:5140").get("environment", {})
 
 
+def test_default_non_root_user_and_password():
+    """The compose fragment defaults SSH_USER to "ubuntu" and
+    SSH_USER_PASSWORD to "admin" — privesc + network-enum lure on
+    every fresh deploy without an operator intervention."""
+    env = _fragment()["environment"]
+    assert env["SSH_USER"] == "ubuntu"
+    assert env["SSH_USER_PASSWORD"] == "admin"
+
+
+def test_custom_non_root_user_and_password():
+    env = _fragment(service_cfg={
+        "user": "deploy",
+        "user_password": "Tr0ub4dor",
+    })["environment"]
+    assert env["SSH_USER"] == "deploy"
+    assert env["SSH_USER_PASSWORD"] == "Tr0ub4dor"
+
+
+def test_non_root_user_independent_of_root_password():
+    """User account password must be a distinct knob from the root
+    password — operators routinely set them to different values to
+    exercise multi-credential capture."""
+    env = _fragment(service_cfg={
+        "password": "rootpw",
+        "user_password": "userpw",
+    })["environment"]
+    assert env["SSH_ROOT_PASSWORD"] == "rootpw"
+    assert env["SSH_USER_PASSWORD"] == "userpw"
+
+
 # ---------------------------------------------------------------------------
 # Logging pipeline wiring (Dockerfile + entrypoint)
 # ---------------------------------------------------------------------------