Proxy with NTLM authentication: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 1: | Line 1: | ||
Many Corporates are using Proxys with [https://en.wikipedia.org/wiki/NT_LAN_Manager NTLM] authentication which gives you trouble on '''Linux''' as many commands such as '''pip, wget, cpan, lynx ''' or even '''apt''' do '''NOT''' support NLTM authentication.<br> | Many Corporates are using Proxys with [https://en.wikipedia.org/wiki/NT_LAN_Manager NTLM] authentication which gives you trouble on '''Linux''' as many commands such as '''pip, wget, cpan, lynx ''' or even '''apt''' do '''NOT''' support NLTM authentication.<br> | ||
<br> | <br>To mitigate the solution can be '''cntlm''', a tiny tool which sits in between the client application and the corporate proxy.<br><br> | ||
=Install cntlm on Debian/Ubuntu= | =Install cntlm on Debian/Ubuntu= | ||
apt-get install cntlm | apt-get install cntlm |
Revision as of 19:32, 27 September 2022
Many Corporates are using Proxys with NTLM authentication which gives you trouble on Linux as many commands such as pip, wget, cpan, lynx or even apt do NOT support NLTM authentication.
To mitigate the solution can be cntlm, a tiny tool which sits in between the client application and the corporate proxy.
Install cntlm on Debian/Ubuntu
apt-get install cntlm
Configure cntlm
cntlm supports password hashes which is strogly recommend to use,
Create Password Hash:
# cntlm -H -d domain.com -u username Password: PassLM 48A840A3F27888D0552C4BCA4AEBFB11 PassNT 831DE0E83F51180463145ACD2FAB9529 PassNTLMv2 ACDA91797DCFDAF15CFE369C2EE28AE9 # Only for user 'username', domain 'domain.com'
Edit the cntlm configuration:
#nano /etc/cntlm.conf
Sample configuration:
Username username Domain domain.com Proxy wwwproxy.corp.com:8080 NoProxy localhost, 127.0.0.*, 10.*, 192.168.* PassLM 48A840A3F27888D0552C4BCA4AEBFB11 PassNT 831DE0E83F51180463145ACD2FAB9529 PassNTLMv2 ACDA91797DCFDAF15CFE369C2EE28AE9 # Only for user 'username', domain 'domain.com' Listen 3128
Start/Stop/Enable/Disable cntlm
# systemctl status cntlm # systemctl stop cntlm # systemctl start cntlm # systemctl disable cntlm # systemctl enable cntlm
Check cntlm
- Check for an open port, note that 127.0.0.1 should be used instead of 0.0.0.0 (gateway mode)
# netstat -tpan | grep 3128 tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN 1622441/cntlm
- Check syslog
tail -n 200 /var/log/syslog | grep cntlm
- Check process
# ps -e | grep cntlm
Test cntlm
- Try without giving a password
# cntlm -M http://google.com Password: Config profile 1/4... OK (HTTP code: 301) ----------------------------[ Profile 0 ]------ Auth NTLMv2 PassNTLMv2 4A3FCA2104D7B7B9683DB7472279XXXX ------------------------------------------------
Set Linux environment
export https_proxy=http://127.0.0.1:3128 export http_proxy=http://127.0.0.1:3128
Set APT environment
- /etc/apt/apt.conf
Acquire::http::Proxy "http://127.0.0.1:3128";
Finalize
Network tools such as
- pip
- cpan
- curl
- wget
- lynx
should now work without any proxy params