My employeer uses a web proxy with NTLM authentication. Various programs and services at my Ubuntu keep their own proxy settings. With periodical password change I had to go carefully over the password locations list to change them all. It was enough to ignore just a one to land with my own personal account locked because of a few bad password attempts.
Can I have a single point of authentication please? It is exactly what I need here. CNTLM is the answer.
Username "myusername" Domain MYDOMAIN Proxy www-proxy.acme.com:80 Proxy serv-proxy.acme.com:80 NoProxy localhost, 127.0.0.*, 10.*, 192.168.* Listen 3128 Auth NTLM
Create passwords and append them to
In my case PassNTLMv2 did not work and I had to remove it
from the configuration.
There is a command to create encrypted passwords
But I found it not working well:
[root@test1 ~]# cntlm -H Password: PassLM 1234567890QWERTYUIOPASDRASDFACAS PassNT ADFASSASDFASDF234LKJOV892ALKODFA [root@test1 ~]# cntlm -M http://www.onet.pl Password: Config profile 1/4... Credentials rejected Config profile 2/4... Credentials rejected Config profile 3/4... Credentials rejected Config profile 4/4... Credentials rejected Wrong credentials, invalid URL or proxy doesn't support NTLM nor BASIC.
The other command is just
cntlm -M with some URL, which prompts for a
password, tests the config on given url, then spits out with the hashed
passwords configuration/profile. This is exactly what you need to append to
your configuration. Note it also alter the
[root@test1 ~]# cntlm -M http://www.onet.pl Password: Config profile 1/4... Credentials rejected Config profile 2/4... OK (HTTP code: 200) ----------------------------[ Profile 1 ]------ Auth NTLM PassNT A5D7C8ASDFASWER7497D67B159506B4A PassLM E16636FASDFASFABHHBARS22B0014BBC ------------------------------------------------
Once the configuration is settled it is high time to test it:
[root@test1 ~]# /usr/sbin/cntlm -U cntlm -fv [...] cntlm: Using following NTLM hashes: NTLMv2(0) NT(1) LM(1) cntlm: Cntlm ready, staying in the foreground cntlm: Changing uid:gid to 495:490 - Success
I think it starts automatically in Ubuntu.
There is a package with CNTLM in RHEL 6.4 but without autostart enabled. It needs to be activated manually.
[root@test1 oracle]# rpm -ql cntlm-0.92.3-1 /etc/cntlm.conf /etc/init.d/cntlmd /etc/sysconfig/cntlmd /sbin/rccntlmd /usr/sbin/cntlm /usr/share/doc/cntlm-0.92.3 /usr/share/doc/cntlm-0.92.3/COPYRIGHT /usr/share/doc/cntlm-0.92.3/LICENSE /usr/share/doc/cntlm-0.92.3/README /usr/share/man/man1/cntlm.1.gz [root@test1 oracle]# # /etc/init.d/cntlmd restart Shutting down CNTLM Authentication Proxy: [ OK ] Starting CNTLM Authentication Proxy: [ OK ] # chkconfig cntlmd on
Now setup the environment:
And the following line in /etc/yum.conf file as shown below.
Add in /etc/profile so that it will be enabled on every boot:
export http_proxy=http://127.0.0.1:3128/ export https_proxy=http://127.0.0.1:3128/