Add deaddeck: real interactive SSH entry-point machine

Introduces the 'real_ssh' service plugin backed by a genuine OpenSSH server (not cowrie), and the 'deaddeck' archetype that uses it. The container ships with a lived-in Linux environment and a deliberately weak root:admin credential to invite exploitation. - templates/real_ssh/: Dockerfile + entrypoint (configurable via env) - decnet/services/real_ssh.py: BaseService plugin, service_cfg supports password and hostname overrides - decnet/archetypes.py: deaddeck archetype added - tests/test_real_ssh.py: 17 tests covering registration, compose fragment structure, overrides, and archetype Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-04 13:42:19 -03:00
parent 9219bf432b
commit 7aff040579
5 changed files with 269 additions and 0 deletions
--- a/templates/real_ssh/Dockerfile
+++ b/templates/real_ssh/Dockerfile
@@ -0,0 +1,51 @@
+ARG BASE_IMAGE=debian:bookworm-slim
+FROM ${BASE_IMAGE}
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    openssh-server \
+    sudo \
+    curl \
+    wget \
+    vim \
+    nano \
+    net-tools \
+    procps \
+    htop \
+    git \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p /var/run/sshd /root/.ssh
+
+# sshd_config: allow root + password auth
+RUN sed -i \
+    -e 's|^#\?PermitRootLogin.*|PermitRootLogin yes|' \
+    -e 's|^#\?PasswordAuthentication.*|PasswordAuthentication yes|' \
+    -e 's|^#\?ChallengeResponseAuthentication.*|ChallengeResponseAuthentication no|' \
+    /etc/ssh/sshd_config
+
+# Lived-in environment: motd, shell aliases, fake project files
+RUN echo "Ubuntu 22.04.3 LTS" > /etc/issue.net && \
+    echo "Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)" > /etc/motd && \
+    echo "" >> /etc/motd && \
+    echo " * Documentation:  https://help.ubuntu.com" >> /etc/motd && \
+    echo " * Management:     https://landscape.canonical.com" >> /etc/motd && \
+    echo " * Support:        https://ubuntu.com/advantage" >> /etc/motd
+
+RUN echo 'alias ll="ls -alF"' >> /root/.bashrc && \
+    echo 'alias la="ls -A"' >> /root/.bashrc && \
+    echo 'alias l="ls -CF"' >> /root/.bashrc && \
+    echo 'export HISTSIZE=1000' >> /root/.bashrc && \
+    echo 'export HISTFILESIZE=2000' >> /root/.bashrc
+
+# Fake project files to look lived-in
+RUN mkdir -p /root/projects /root/backups /var/www/html && \
+    echo "# TODO: migrate DB to new server\n# check cron jobs\n# update SSL cert" > /root/notes.txt && \
+    echo "DB_HOST=10.0.0.5\nDB_USER=admin\nDB_PASS=changeme123\nDB_NAME=prod_db" > /root/projects/.env && \
+    echo "[Unit]\nDescription=App Server\n[Service]\nExecStart=/usr/bin/python3 /opt/app/server.py" > /root/projects/app.service
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 22
+
+ENTRYPOINT ["/entrypoint.sh"]
--- a/templates/real_ssh/entrypoint.sh
+++ b/templates/real_ssh/entrypoint.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+set -e
+
+# Configure root password (default: admin)
+ROOT_PASSWORD="${SSH_ROOT_PASSWORD:-admin}"
+echo "root:${ROOT_PASSWORD}" | chpasswd
+
+# Optional: override hostname inside container
+if [ -n "$SSH_HOSTNAME" ]; then
+    echo "$SSH_HOSTNAME" > /etc/hostname
+    hostname "$SSH_HOSTNAME"
+fi
+
+# Generate host keys if missing (first boot)
+ssh-keygen -A
+
+# Fake bash history so the box looks used
+if [ ! -f /root/.bash_history ]; then
+    cat > /root/.bash_history <<'HIST'
+apt update && apt upgrade -y
+systemctl status nginx
+tail -f /var/log/syslog
+df -h
+htop
+ps aux | grep python
+git pull origin main
+cd /root/projects
+vim notes.txt
+crontab -e
+ls /var/www/html
+HIST
+fi
+
+exec /usr/sbin/sshd -D -e