ghidra/Ghidra/RuntimeScripts/Common/server/jaas.conf

//
// JAAS config file for GhidraServer when operating in -a4 mode.
// Only the one section that you wish to enable should be called "auth".
// All other sections will be ignored.




//**********************************************************************************
// Active Directory via LDAP
//**********************************************************************************
// The special string "{USERNAME}" in the authIdentity and userFilter parameters is replaced with the Ghidra user's name
// at runtime by the LdapLoginModule, and should not be modified.
//
// The ldap DNS hostname for your Active Directory server needs to be fixed-up in the userProvider parameter,
// and the domain name portion of your user's identity (ie. user@domain.tld) needs to be fixed up in the
// authIdentity parameter, possibly the port number also (3269).
//
// In this mode, GhidraServer will bind to the LDAP server using the Ghidra user's name and password.  It will
// then query for that same user (sAMAccountName={USERNAME}) to confirm that user's DN. 
//
// See https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html
// for more information about the LdapLoginModule and its configuration.
//
// Do not use a plain "ldap" URI to connect to your LDAP server unless you want your user's
// credentials to be visible as plaintext network traffic.
//
example_ad_ldap_auth {
	com.sun.security.auth.module.LdapLoginModule REQUIRED
		userProvider="ldaps://<your_active_directory_ldap_server_hostname>:3269"
		authIdentity="{USERNAME}@<your_active_directory_domain_name.tld>"
		userFilter="(sAMAccountName={USERNAME})"
		debug=true;
};


//**********************************************************************************
// JPAM
//**********************************************************************************
// JPAM is not included in the Ghidra distro.  See http://jpam.sourceforge.net/.
//
// Additionally:
//		The libjpam.so native library needs to be copied to your Ghidra/Features/GhidraServer/os/linux64 directory.
//		The JPAM-x.y.jar java library needs to be copied to your Ghidra/Features/GhidraServer/lib directory,
//		and the following entries need to be added to your server/server.conf file:
//			wrapper.java.classpath.PAM=${ghidra_home}/Ghidra/Features/GhidraServer/lib/JPam-x.y.jar
//			wrapper.java.classpath.PAM2=${ghidra_home}/Ghidra/Features/GhidraServer/data/yajsw-stable-12.12/lib/core/commons/commons-logging-1.1.jar
//
//	NOTE: you may need to run GhidraServer as root when using PAM authentication, depending on your configuration.
// 
example_jpam_auth {
	net.sf.jpam.jaas.JpamLoginModule REQUIRED
		// The serviceName parameter controls which PAM service Ghidra will try to authenticate against.
		// This typically corresponds to a file called /etc/pam.d/<serviceName>
		serviceName="system-auth"
	;
};


//**********************************************************************************
// External program (ie. mod_authnz_external)
//**********************************************************************************
// Launches an external program to perform authentication.
//
// You may need to adjust the PROGRAM="" to include the full path to the example script
example_external_auth {
	ghidra.server.security.loginmodule.ExternalProgramLoginModule REQUIRED
	
		// Path to the external program.  An absolute path is preferable.
		PROGRAM="server/jaas_external_program.example.sh"
		
		// Time to wait for external program to finish before killing it, in milliseconds.
		TIMEOUT="1000"
		
		// Any arguments that the external program needs.  Do not include sensitive values as an
		// argument because they can be seen by other users on the system.
		ARG_00="arg1" ARG_01="test arg2"
	;
};