feat(templates): wire SSH+Telnet to sessrec transcript recorder

Build login-session into both images as the swapped root shell, add a quarantine bind mount for telnet (symmetric to SSH), seed transcripts/ dir and service discriminant at entrypoint. Deployer syncs sessrec.c + Makefile into each build context alongside the existing syslog_bridge helper. sessrec falls back to /etc/sessrec.service when env is stripped (busybox /bin/login).
2026-04-21 23:03:42 -04:00
parent 4596c1d69a
commit a58d42e492
11 changed files with 1286 additions and 6 deletions
--- a/decnet/templates/telnet/entrypoint.sh
+++ b/decnet/templates/telnet/entrypoint.sh
@@ -27,6 +27,13 @@ cat /root/.env
 HIST
 fi

+# sessrec needs the transcripts dir on the quarantine mount + a service
+# discriminant file (busybox /bin/login strips env, so we can't rely on
+# SESSREC_SERVICE env var here like the SSH template does).
+mkdir -p /var/lib/systemd/coredump/transcripts
+chmod 750 /var/lib/systemd/coredump/transcripts
+echo "telnet" > /etc/sessrec.service
+
 # Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout.
 # Cloak the pipe path and the relay `cat` so `ps aux` / `ls /run` don't
 # betray the honeypot — see ssh/entrypoint.sh for the same pattern.