Ghidra: Avoid passing computer User name to Ghidra Server

Wouldn't a quick solution be to use a SHA256 hash of the username?

@nihilus No, as most computer usernames are short, it would be trivial to try common usernames or use a rainbow table to figure out the user's name. This is more of a privacy concern than a security problem, but it also has usability impact. I don't use the same username on different computers/services, so the Ghidra client defaulting to using my computer account username rather than just prompting for my username is unhelpful.

@kjcolley7 then use SHA512, if an attacker is an issue then you have you got more than one issue and should either be on psych meds for delusions and paranoia or use a VPN tunnel. ;-)

The user name is passed over an encrypted TLS connection. It is not passed in the clear. The server can be configured to allow prompting for a user name during the authentication process. This name may differ from the local user name.

From svrREADME.html: "Local Ghidra password (-a0) - passwords associated with each user added to the server are maintained in the users file located within the repositories directory. The user will be prompted for this password when connecting to the server. "

Despite this option being on, the client still sends the ComputerUsername AND the GhidaUsername (perhaps this is a bug then?)

I'm worried about clients privacy: servers shouldn't be collecting ComputerUsername unnecessarily.

You can set/change name in {GHIDRA_HOME}/support/launch.properties:

# Username
VMARGS=-Duser.name=YOU_USER_NAME_HERE

Ah perfect! That is a valid workaround (tested) for this enhancement proposal. Ideally Ghidra clients wouldn't pass the Java VM username (without changes: ComputerUsername) automatically in the background by default to servers but for those with privacy concerns I'll push out this as a solution.