anti
7aff040579
Introduces the 'real_ssh' service plugin backed by a genuine OpenSSH server (not cowrie), and the 'deaddeck' archetype that uses it. The container ships with a lived-in Linux environment and a deliberately weak root:admin credential to invite exploitation. - templates/real_ssh/: Dockerfile + entrypoint (configurable via env) - decnet/services/real_ssh.py: BaseService plugin, service_cfg supports password and hostname overrides - decnet/archetypes.py: deaddeck archetype added - tests/test_real_ssh.py: 17 tests covering registration, compose fragment structure, overrides, and archetype Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
47 lines
1.3 KiB
Python
47 lines
1.3 KiB
Python
from pathlib import Path
|
|
|
|
from decnet.services.base import BaseService
|
|
|
|
TEMPLATES_DIR = Path(__file__).parent.parent.parent / "templates" / "real_ssh"
|
|
|
|
|
|
class RealSSHService(BaseService):
|
|
"""
|
|
Fully interactive OpenSSH server — no honeypot emulation.
|
|
|
|
Used for the deaddeck (entry-point machine). Attackers get a real shell.
|
|
Credentials are intentionally weak to invite exploitation.
|
|
|
|
service_cfg keys:
|
|
password Root password (default: "admin")
|
|
hostname Override container hostname
|
|
"""
|
|
|
|
name = "real_ssh"
|
|
ports = [22]
|
|
default_image = "build"
|
|
|
|
def compose_fragment(
|
|
self,
|
|
decky_name: str,
|
|
log_target: str | None = None,
|
|
service_cfg: dict | None = None,
|
|
) -> dict:
|
|
cfg = service_cfg or {}
|
|
env: dict = {
|
|
"SSH_ROOT_PASSWORD": cfg.get("password", "admin"),
|
|
}
|
|
if "hostname" in cfg:
|
|
env["SSH_HOSTNAME"] = cfg["hostname"]
|
|
|
|
return {
|
|
"build": {"context": str(TEMPLATES_DIR)},
|
|
"container_name": f"{decky_name}-real-ssh",
|
|
"restart": "unless-stopped",
|
|
"cap_add": ["NET_BIND_SERVICE"],
|
|
"environment": env,
|
|
}
|
|
|
|
def dockerfile_context(self) -> Path:
|
|
return TEMPLATES_DIR
|