anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ssh,telnet): add non-root user account for privesc + enum lure

Browse Source 
Real Linux deployments (especially Ubuntu cloud images) ship a non-
root admin user; honeypots that only accept root logins are a tell.
Add a second account on both SSH and Telnet decoys, configurable
via service_cfg keys `user` / `user_password`, defaulting to
`ubuntu` / `admin` so the lure is live on every fresh deploy.

* `decnet/services/{ssh,telnet}.py` — two new ServiceConfigFields
  (`user` string, `user_password` secret) and matching env vars
  (`SSH_USER` / `SSH_USER_PASSWORD`, mirror for telnet) propagated
  via the compose fragment.
* `decnet/templates/ssh/entrypoint.sh` — runtime `useradd -m -s
  /usr/libexec/login-session -G sudo "$SSH_USER"` so the new user
  inherits the same sessrec pty-recording shell as root and lands
  in the sudo group. Privesc attempts (`sudo`) flow through the
  existing sudo-log capture; network-enum from the user's shell
  rides the recorded transcript.
* `decnet/templates/telnet/entrypoint.sh` — same useradd pattern
  (no sudo group — busybox+login telnet image has no sudo
  package; privesc rides `su -` which itself flows through the
  existing PAM auth-helper at /etc/pam.d/login).
* New tests for default + custom user / password + independence
  from root password. Updated the schema-keys assertion to match
  the four-field shape.

The new account is ALSO the natural home for the body-aware
predicates that were previously gated on root-only sessions —
attackers who land on `ubuntu@host` and run network-recon /
privesc commands now generate the same structured TTP-rule
events as root sessions did, captured via the same auth-helper
+ sessrec + sudo-log pipes.
This commit is contained in:
anti
2026-05-02 19:48:03 -04:00
parent c675bd26cf
commit 3e9c4c29b9
6 changed files with 167 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
tests/services/test_ssh.py
View File

@@ -123,6 +123,36 @@ def test_no_log_target_in_env():
assert "LOG_TARGET" not in _fragment(log_target="10.0.0.1:5140").get("environment", {})
def test_default_non_root_user_and_password():
"""The compose fragment defaults SSH_USER to "ubuntu" and
SSH_USER_PASSWORD to "admin" — privesc + network-enum lure on
every fresh deploy without an operator intervention."""
env = _fragment()["environment"]
assert env["SSH_USER"] == "ubuntu"
assert env["SSH_USER_PASSWORD"] == "admin"
def test_custom_non_root_user_and_password():
env = _fragment(service_cfg={
"user": "deploy",
"user_password": "Tr0ub4dor",
})["environment"]
assert env["SSH_USER"] == "deploy"
assert env["SSH_USER_PASSWORD"] == "Tr0ub4dor"
def test_non_root_user_independent_of_root_password():
"""User account password must be a distinct knob from the root
password — operators routinely set them to different values to
exercise multi-credential capture."""
env = _fragment(service_cfg={
"password": "rootpw",
"user_password": "userpw",
})["environment"]
assert env["SSH_ROOT_PASSWORD"] == "rootpw"
assert env["SSH_USER_PASSWORD"] == "userpw"
# ---------------------------------------------------------------------------
# Logging pipeline wiring (Dockerfile + entrypoint)
# ---------------------------------------------------------------------------