…with an open minded approach

Posts tagged “cntlm

How to configure (k/x)ubuntu behind a NTLM proxies (aka ISA MS Server, aka Internet Security and Acceleration Server), using cNTLM

What’s the scenario ?

Imagine you have your very-pretty linux computer inside a network, like your job network, and to connect with internet you have to go through a proxy which asks you the username and password.

Such a proxy is usually a  “NTLM proxy”, and requires that all the comunications from your computer to the internet to be “mediated” by the proxy using a special protocol called NTLM.

This means that the programs that you have in your computer must be capable of “talking NTLM” with the proxy, and in ubuntu there are few of them that can do this without any hack (for example firefox is “NTLM-proxy” capable)

So what is the hack that can solve this?

Well, although a program may not be able to talk “NTLM-proxy” by itself, there are many of them that are capable of talking to a “normal-proxy” (without the NTLM protocol, that is, they can talk to a “normal-proxy” but not to a “NTLM-proxy” because they can’t do the NTLM-part).

So the idea is to install Cntlm – which will create a virtual “normal-proxy”  locally in your computer which takes care automatically and adds the NTLM protocol to the normal connections made to the “normal-proxy”.

After you have the Cntlm installed, you configure your program to use the virtual “normal-proxy” created by Cntlm and by doing all this, you will finaly have your program (which is only “normal-proxy” capable) going through the NTLM proxy, via the virtual “normal-proxy” of Cntlm

Confusing? It is not, just harder to explain than to show 🙂

Resumed instructions of how to make it happen

NOTE: I no longer have access to a linux computer behind a NTLM proxy, and so I will only leave the notes I’ve taken in the past to install and configure Cntlm in a debian/ubuntu system. The notes are proven to work although they may look as vague indications and not a step-by-step guide, but I hope that they are enough to give someone an overview of the sequence:

1. Install and configure Cntlm
1.1- download cntlm deb-package

sudo wget http://ftp.debian.org/pool/main/c/cntlm/cntlm_0.35.1-5_i386.deb

(NOTE: the above link is for all debian and (x/k/l)ubuntus)

1.2 – install deb-package

sudo dpkg -i cntlm_0.35.1-5_i386.deb

1.3- Configure Cntlm to use the “NTLM-proxy”, by creating the file /etc/cntlm.conf

sudo pico /etc/cntlm.conf

…and fill in with your NTLM-proxy information:

Username        theNLTM-ProxyUsername
Domain          yourdomain.com
Password        theNTLM-ProxyPassword

(this is the minimum the conf file must contain to work – for much more options and twists see the man page “Configuration” section)

1.4- Restart Cntlm to make configuration changes to take effect

invoke-rc.d cntlm restart

With the above done, we will have the Cntlm virtual proxy installed and running in http://127.0.0.1:3128

2. Configure your programs to use the local “normal-proxy” http://127.0.0.1:3128

2.1- Change .bashrc, to configure the default proxy for: wget curl apt-get and others

echo ” >> $HOME/.bashrc
echo ‘#:) Cntlm local proxy configuration’ >> $HOME/.bashrc
echo ‘export http_proxy=http://127.0.0.1:3128’ >> $HOME/.bashrc
echo ‘export https_proxy=http://127.0.0.1:3128’ >> $HOME/.bashrc
echo ‘export ftp_proxy=http://127.0.0.1:3128’ >> $HOME/.bashrc
echo ” >> $HOME/.bashrc

…and now close and open a new console (so that the changes made to .bashrc take effect)

To test if wget (for example) is working fine through the Cntlm proxy, do:

wget -O- http://www.google.com

…and if is takes too long to “connect” then something is wrong. If it executes fast and shows a text-storm then it’s working ok 🙂

2.2- Configure  KDE and Konqueror (doesn’t include Synaptic Manager, it uses it’s own network configuration, not very much configurable in fact…)

Goto K->ConfiguracionDelSistema->ConfiguracionesDeRed->EspecificarManualmenteConfiguracionProxy
HTTP: http://127.0.0.1          PUERTO: 3128
x – User el mismo proxy para todos protocolos

… and now Konqueror should correctly connect to internet

Brainstorming:

The man page of cntlm is *very* well documented – the guy that made it knew what hw was doing… and he made it in C.

It also supports to behave as a SOCKs proxy and/or establish SSH tunnels – read that man page, it gets very interesting all that can be done with Cntlm behind a proxy:)

It’s the most stable NTLM-wrapper proxy that I’ve found, and the best of all by clear advantage, although it seems one of those lost-perls of open source that doesn’t get the deserved attention.

I am aware that wget has a built-in option to talk to  “NTML proxy” which is (–http-user and –http-password) – I’ve used wget here as an example and without taht option so that it uses the Cntlm proxy installed pointed to by the  “http_proxy” environment variable

And Cntlm seems to be made by only 1 person without any external libraries… incredible

I know a few more examples and tests would be a great addon to the above instructions, but i have no access to a NTLM proxy now.. so if you have something to add, please post as comment and we shall review/include it 🙂

This is my first post, in my first blog – that might explain some enthusiasm and some unexperience errors 🙂   the best of open source is the sharing – people should apply it in diverse ways within their lifes 🙂

Advertisements