http://www.toms-blog.com/tags/proxy/index.xml Recent content on TomsBlog Hugo -- gohugo.io en-uk http://www.toms-blog.com/post/linux-behind-ntlm-authentication-proxy-using-cntlm/ Sat, 13 Oct 2012 18:16:57 +0000 http://www.toms-blog.com/post/linux-behind-ntlm-authentication-proxy-using-cntlm/ <p>Sometimes you will find your server sat behind a proxy designed for human traffic rather than server traffic and so requires authentication.</p> <p>Although the NTLM protocol is grossly insecure it still seems to used in a lot of proxies. To get your server to download updates you will need to make your server play nice with this authentication as a lot of software does not support the NTLM protocol.</p> <p>CNTLM solves this issue by adding another proxy layer in front of your software which does not require authentication.</p> <p>You can download it from here <a href="http://cntlm.sourceforge.net/">http://cntlm.sourceforge.net/</a></p> <p>We are installing this on CentOS so we need the RPM, for Ubuntu get the DEB file alternatively download the source code and compile it.</p> <p>So on CentOS run:</p> <div class="highlight" style="background: #f0f3f3"><pre style="line-height: 125%"><span></span>rpm -i cntlm-0.92.3-1.x86_64.rpm </pre></div> <p>On Ubuntu run:</p> <div class="highlight" style="background: #f0f3f3"><pre style="line-height: 125%"><span></span>dpkg -i cntlm_0.92.3_amd64.deb </pre></div> <p>Once installed edit the configuration file /etc/cntlm.conf</p> <p>Set the username to your domain username and set the domain:</p> <div class="box"> <p>Username proxyaccess</p> <p>Domain contorso.com</p> </div> <p>Remove any passwords. Set the port you want it to listen on, the default is 3128 and set the proxy server you want to go through:</p> <div class="box"> <p>Listen 3128</p> <p>Proxy 10.0.0.1:8080</p> </div> <p>All we need to do now is create the password hash:</p> <div class="highlight" style="background: #f0f3f3"><pre style="line-height: 125%"><span></span>cntlm -H -M http://10.0.0.1:8080 -c /etc/cntlm.conf </pre></div> <p>-H means create a hash, -M specifies the proxy server and -c specifies the config file to use.</p> <p>You will be asked for your password type it and then a hash will be created like below:</p> <div class="box"> <p>—————————-[ Profile 1 ]——</p> <p>Auth NTLM</p> <p>PassNT 44345CE5DA10BCDF46CB34BAB4B5EEF6</p> <p>PassLM BA46510ADEFAE56345ACC34156ADEE36</p> <p>————————————————</p> </div> <p>Copy all of this output and past it into your configuration file. Now all you need to do is start cntlm:</p> <div class="highlight" style="background: #f0f3f3"><pre style="line-height: 125%"><span></span>cntlm -c /etc/cntlm.conf </pre></div> <p>If you get “Exiting with Error check the Logs”. Have a look in the logs</p> <p>If you see this entry:</p> <p>cntlm: Cannot bind port 3128: Address already in use!</p> <p>CNTLM is already running have a look by running:</p> <div class="highlight" style="background: #f0f3f3"><pre style="line-height: 125%"><span></span>ps aux | grep cntlm <span style="color: #336666">kill</span> -9 PROCESSID </pre></div> <p>Where PROCESSID is the ID of the process you want to kill.</p> <p>Now try and run CNTLM again and you should be done.</p> <p>All you have to do now is point your programs to <a href="http://127.0.0.1:3128">http://127.0.0.1:3128</a> for example for yum edit /etc/yum.conf and add:</p> <div class="box"> <p>proxy = <a href="http://127.0.0.1:3128">http://127.0.0.1:3128</a></p> </div> <p>Now YUM should work. Dont forget to have a look in /var/log/messages or /var/log/syslog for any errors.</p>