GT-2658 - JAAS auth - minor doc tweaks, cleanup

Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/GhidraServer.java

@@ -87,7 +87,7 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan
 		PKI_LOGIN("PKI"),
 		ALT_OS_PASSWORD_LOGIN("OS Password & Password File"),
 		JAAS_LOGIN("JAAS"),
-		KRB5_AD("Active Directory via Kerberos");
+		KRB5_AD_LOGIN("Active Directory via Kerberos");
 
 		private String description;
 
@@ -107,7 +107,7 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan
 				case 2: return PKI_LOGIN;
 				case 3: return ALT_OS_PASSWORD_LOGIN;
 				case 4: return JAAS_LOGIN;
-				case 5: return KRB5_AD;
+				case 5: return KRB5_AD_LOGIN;
 				default: return null;
 			}
 			//@formatter:on
@@ -185,7 +185,7 @@ public class GhidraServer extends UnicastRemoteObject implements GhidraServerHan
 			case JAAS_LOGIN:
 				authModule = new JAASAuthenticationModule("auth", allowUserToSpecifyName);
 				break;
-			case KRB5_AD:
+			case KRB5_AD_LOGIN:
 				if (loginDomain == null || loginDomain.isBlank()) {
 					throw new IllegalArgumentException("Missing login domain value -d<domainname>");
 				}

Ghidra/Features/GhidraServer/src/main/java/ghidra/server/remote/ServerHelp.txt

@@ -11,7 +11,7 @@ Command line parameters:
 	
    -p# : base TCP port to be used (default: 13100) [see Note 1]
    
-   -a# : an optional authentication mode where # is a value 0 or 2 or 4
+   -a# : an optional authentication mode where # is a value of 0, 2, 4, or 5
          0 - Private user password
          2 - PKI Authentication
          4 - JAAS Authentication controlled by config file pointed to by -jaas

Ghidra/Features/GhidraServer/src/main/java/ghidra/server/security/Krb5ActiveDirectoryAuthenticationModule.java

@@ -26,6 +26,7 @@ import javax.naming.directory.*;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.*;
 import javax.security.auth.login.*;
+import javax.security.auth.spi.LoginModule;
 
 import com.sun.security.auth.module.Krb5LoginModule;
 
@@ -38,6 +39,7 @@ import ghidra.server.UserManager;
  * <p>
  * This auth module needs to know the Active Directory domain name, and then from there it can bootstrap
  * itself using DNS lookups to find the Kerberos server.
+ * <p>
  */
 public class Krb5ActiveDirectoryAuthenticationModule implements AuthenticationModule {
 
@@ -45,7 +47,8 @@ public class Krb5ActiveDirectoryAuthenticationModule implements AuthenticationMo
 	private String domainName;
 	private boolean stripDomainFromUsername = true;
 
-	public Krb5ActiveDirectoryAuthenticationModule(String domainName, boolean allowUserToSpecifyName) {
+	public Krb5ActiveDirectoryAuthenticationModule(String domainName,
+			boolean allowUserToSpecifyName) {
 		this.domainName = domainName;
 		this.allowUserToSpecifyName = allowUserToSpecifyName;
 	}
@@ -134,6 +137,11 @@ public class Krb5ActiveDirectoryAuthenticationModule implements AuthenticationMo
 
 	//--------------------------------------------------------------------------------------------------
 
+	/**
+	 * A JAAS {@link Configuration} helper that forces a simple JAAS setup of a single
+	 * 'required' {@link LoginModule}.  (instead of an external JAAS config file)
+	 *
+	 */
 	private static class JAASConfiguration extends Configuration {
 
 		private AppConfigurationEntry staticConfigEntry;
@@ -150,6 +158,12 @@ public class Krb5ActiveDirectoryAuthenticationModule implements AuthenticationMo
 			return new AppConfigurationEntry[] { staticConfigEntry };
 		}
 
+		/**
+		 * Allows adding options to the {@link LoginModule}
+		 *
+		 * @param name string name of the option
+		 * @param value value of the option
+		 */
 		public void addOption(String name, Object value) {
 			options.put(name, value);
 		}
@@ -157,6 +171,13 @@ public class Krb5ActiveDirectoryAuthenticationModule implements AuthenticationMo
 
 	private static final String SRV_RECORD_TYPE = "SRV";
 
+	/**
+	 * Returns the first Microsoft Active Directory domain controller for the specified domainName.
+	 *
+	 * @param domainName the local domain name of the MS Active Directory system
+	 * @return address of the domain controller, or null if not found
+	 * @throws NamingException
+	 */
 	private static InetSocketAddress getFirstDomainController(String domainName)
 			throws NamingException {
 

Ghidra/RuntimeScripts/Common/server/jaas/jaas_external_program.example.conf

@@ -4,8 +4,15 @@
 
 auth {
 	ghidra.server.security.loginmodule.ExternalProgramLoginModule required
+	
+		// Path to the external program.  An absolute path is preferable.
 		PROGRAM="server/jaas/jaas_external_program.example.sh"
+		
+		// Time to wait for external program to finish before killing it, in milliseconds.
 		TIMEOUT="1000"
+		
+		// any arguments that the external program needs.  Do not include sensitive values as an
+		// argument as they can be seen by other users on the system.
 		ARG_00="arg1" ARG_01="test arg2"
 	;
 };

Ghidra/RuntimeScripts/Common/server/server.conf

@@ -111,7 +111,7 @@ ghidra.repositories.dir=./repositories
 #   -ip <hostname> : remote access hostname or IPv4 address to be used by clients
 #   -i #.#.#.# : interface IPv4 address to accept connections on (default all interfaces)
 #   -p# : base TCP port to be used (default: 13100)
-#   -a# : an optional authentication mode where # is a value 0 or 2
+#   -a# : an optional authentication mode where # is a value of 0, 2, 4 or 5
 #         0 - Private user password
 #         2 - PKI Authentication
 #         4 - JAAS Authentication