feat(telnet): same PAM cred-capture, /etc/pam.d/login

Promotes auth-helper.c to decnet/templates/_shared/auth-helper/ and
adds _sync_auth_helper_sources() — mirrors the existing sessrec sync
pattern that keeps shared sources in step with per-template build
contexts.

Telnet's image grows the same multi-stage musl build, COPY of the
static helper into /usr/sbin/auth-helper, and prepended pam_exec line
in /etc/pam.d/login. Pulls in the `login` package (real Debian
PAM-aware /bin/login, replacing busybox's PAM-less applet) and
libpam-modules transitively for pam_exec.so.

Verified inside the rebuilt telnet image:
- /bin/login is the real 53KB Debian binary (PAM-aware)
- /etc/pam.d/login top line is the auth-helper hook
- pam_exec.so present at /usr/lib/x86_64-linux-gnu/security/pam_exec.so
- helper smoke-run emits correct RFC 5424 line for `telnetpw` →
  password_b64="dGVsbmV0cHc="

SSH Dockerfile updated to read auth-helper.c from auth-helper/
subdirectory so both templates use the synced layout. The canonical
source lives in _shared/; per-template copies are tracked in git AND
synced at deploy time so a drift on either side rebases on the next
deploy.

Closes the telnet half of DEBT-038's #5 follow-up.

decnet/templates/telnet/Dockerfile

@@ -1,8 +1,28 @@
 ARG BASE_IMAGE=debian:bookworm-slim
+
+# ── Stage 1: build the static auth-helper credential-capture binary ──────────
+# Same source the SSH template builds — generic over PAM service. Wired
+# into /etc/pam.d/login below so every busybox-telnetd → /bin/login auth
+# attempt is captured before pam_unix runs. Static + musl: ~38 KB ELF,
+# zero libc version coupling, runs anywhere.
+FROM debian:bookworm-slim AS auth-helper-build
+RUN apt-get update && apt-get install -y --no-install-recommends musl-tools \
+    && rm -rf /var/lib/apt/lists/*
+COPY auth-helper/auth-helper.c /tmp/auth-helper.c
+RUN musl-gcc -static -O2 -s -Wall -Wextra \
+    -o /auth-helper /tmp/auth-helper.c
+
+# ── Stage 2: the actual telnet decky image ───────────────────────────────────
 FROM ${BASE_IMAGE}
 
+# `login` (real Debian /bin/login, PAM-aware) replaces busybox's PAM-less
+# login applet. libpam-modules ships pam_exec.so transitively. Both are
+# needed for the auth-helper hook to fire — without them the PAM stack
+# can't load pam_exec or call into a real PAM service.
 RUN apt-get update && apt-get install -y --no-install-recommends \
     busybox-static \
+    login \
+    libpam-modules \
     rsyslog \
     procps \
     net-tools \
@@ -41,6 +61,15 @@ RUN sed -i \
     -e 's|^auth,authpriv\.\*|#auth,authpriv.*|' \
     /etc/rsyslog.conf
 
+# auth-helper: drop the static binary into /usr/sbin and wire pam_exec
+# into the login PAM stack so every busybox-telnetd password attempt
+# (success or fail) is captured before pam_unix runs. Same `optional`
+# fail-open semantics as the SSH template.
+COPY --from=auth-helper-build /auth-helper /usr/sbin/auth-helper
+RUN chmod 755 /usr/sbin/auth-helper && \
+    sed -i '1i auth optional pam_exec.so expose_authtok stdout /usr/sbin/auth-helper' \
+        /etc/pam.d/login
+
 # Realistic motd and issue banner
 RUN echo "Ubuntu 20.04.6 LTS" > /etc/issue.net && \
     echo "Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-150-generic x86_64)" > /etc/motd && \