${HOME}/ghidra-current
is a symlink to the currently active Ghidra directory. That is, I have several versions of Ghidra installed in ${HOME}
and ghidra-current
points to the one I'm using.
I'm keeping the cacerts
and keystore
outside of the Ghidra directory to make upgrading Ghidra easier. (I also keep the repositories
directory outside of the Ghidra directory for the same reason.)
The directory for the keystore
and cacerts
should exist and the directory for the keystore
should have permissions 0700
. This isn't checked.
For this to work, you need to enable PKI authentication in server.conf
by setting
wrapper.app.parameter.1=-a2
wrapper.app.parameter.2=${ghidra.repositories.dir}
and
wrapper.java.additional.5=-Dghidra.cacerts=/home/ghidra/ghidra-certs/cacerts
(or wherever you have configured the script for cacerts
.
Running this script will create a new user with the specified user id (what Ghidra calls the sid
) and produce a .p12
file. This file will need to be given to the user. The user can connect to the server in the Ghidra client by Edit > Set PKI Certificate...
and selecting the .p12
certificate and entering the password ghidra
(by default, this is configurable).
Note that I'm making no claims about the security of this setup. Nothing strikes me as obviously wrong or less secure than the password authentication option (-a0
) and it seems to work.
An existing Ghidra server setup can be converted to use PKI by stopping the server, changing the server.conf
, and then using this script for each existing user. You'll probably want to comment out the ${svrAdmin} -add "${user_alias}"
line before running it on existing users to avoid trying to create a user twice.
Here are some (slightly outdated) notes about installing Ghidra Server on Ubuntu.