// // JAAS config file for GhidraServer when operating in -a4 mode. // Only the one section that you wish to enable should be called "auth". // All other sections will be ignored. //********************************************************************************** // Active Directory via LDAP //********************************************************************************** // The special string "{USERNAME}" in the authIdentity and userFilter parameters is replaced with the Ghidra user's name // at runtime by the LdapLoginModule, and should not be modified. // // The ldap DNS hostname for your Active Directory server needs to be fixed-up in the userProvider parameter, // and the domain name portion of your user's identity (ie. user@domain.tld) needs to be fixed up in the // authIdentity parameter, possibly the port number also (3269). // // In this mode, GhidraServer will bind to the LDAP server using the Ghidra user's name and password. It will // then query for that same user (sAMAccountName={USERNAME}) to confirm that user's DN. // // See https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html // for more information about the LdapLoginModule and its configuration. // // Do not use a plain "ldap" URI to connect to your LDAP server unless you want your user's // credentials to be visible as plaintext network traffic. // example_ad_ldap_auth { com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider="ldaps://:3269" authIdentity="{USERNAME}@" userFilter="(sAMAccountName={USERNAME})" debug=true; }; //********************************************************************************** // JPAM //********************************************************************************** // JPAM is not included in the Ghidra distro. See http://jpam.sourceforge.net/. // // Additionally: // The libjpam.so native library needs to be copied to your Ghidra/Features/GhidraServer/os/linux64 directory. // The JPAM-x.y.jar java library needs to be copied to your Ghidra/Features/GhidraServer/lib directory, // and the following entries need to be added to your server/server.conf file: // wrapper.java.classpath.PAM=${ghidra_home}/Ghidra/Features/GhidraServer/lib/JPam-x.y.jar // wrapper.java.classpath.PAM2=${ghidra_home}/Ghidra/Features/GhidraServer/data/yajsw-stable-12.12/lib/core/commons/commons-logging-1.1.jar // // NOTE: you may need to run GhidraServer as root when using PAM authentication, depending on your configuration. // example_jpam_auth { net.sf.jpam.jaas.JpamLoginModule REQUIRED // The serviceName parameter controls which PAM service Ghidra will try to authenticate against. // This typically corresponds to a file called /etc/pam.d/ serviceName="system-auth" ; }; //********************************************************************************** // External program (ie. mod_authnz_external) //********************************************************************************** // Launches an external program to perform authentication. // // You may need to adjust the PROGRAM="" to include the full path to the example script example_external_auth { ghidra.server.security.loginmodule.ExternalProgramLoginModule REQUIRED // Path to the external program. An absolute path is preferable. PROGRAM="server/jaas_external_program.example.sh" // Time to wait for external program to finish before killing it, in milliseconds. TIMEOUT="1000" // Any arguments that the external program needs. Do not include sensitive values as an // argument because they can be seen by other users on the system. ARG_00="arg1" ARG_01="test arg2" ; };