Suppose you are running a Debian system in a (corporate) Windows environment where internet access is restricted by a web proxy. In many cases the proxy will be configured to use Microsoft’s Active Directory for user authentication as well as the rest of the environment. If you don’t want to integrate your Debian system completely into the Active Directory structure but only need internet access, you have to tell the proxy your Windows/Active Directory user credentials. The following article will show you how this can be done.
For this tutorial, we will assume your web proxy is running on 10.10.10.10:8888, your username is “yourname” and your domain is “yourdomain”. Your password is the incredibly secure string “password”.
How it does not work
In Debian, you can set the system wide HTTP proxy with the
http_proxy environment variable in
/etc/environment. So you might try one of these entries in the config file:
http_proxy="http://10.10.10.10:8888"; http_proxy="http://email@example.com:8888"; http_proxy="http://yourname:firstname.lastname@example.org:8888"; http_proxy="http://yourdomain\yourname:email@example.com:8888"; http_proxy="http://yourdomain\\yourname:firstname.lastname@example.org:8888"; http_proxy="http://yourdomain%5Cyourname:email@example.com:8888"; http_proxy="http://yourname@yourdomain:firstname.lastname@example.org:8888"; http_proxy="http://yourname%40yourdomain:email@example.com:8888"; ...
Anyway, this won’t work since Debian cannot pass your credentials to the web proxy in this way.
Installing and configuring cntlm
Installing cntlm in Debian is pretty straightforward:
sudo aptitude install cntlm
Now for the setup in
/etc/cntlm.conf. Insert your Windows username and domain in the
Domain lines, respectively. Then insert the IP (or server name) and port number of your proxy in a
Proxy line. You can delete the remaining example
Now, since you certainly don’t want to store plain text passwords in your config file, delete the
Password line and create a password hash instead with the following command:
sudo cntlm -a NTLMv2 -H
This will prompt you for your Windows/Active Directory account password and print some password hashes. Copy these into
/etc/cntlm.conf, somewhere near your username and domain (the
script command or tmux comes in handy for copying stuff in a pure terminal session).
The rest of Debian’s default configuration is perfectly fine and can be left untouched. Now the relevant parts of your config file will look something like this:
Username yourname Domain yourdomain PassLM 4EA13780FA2739CBF9A3DB36E1842750 PassNT 50A6273195483DB741C61748AD59B302 PassNTLMv2 E9367A4B710F74B92C00684F7D38ACDE Proxy 10.10.10.10:8888
If you didn’t change this part of the default configuration cntlm is now listening on port 3128. You can set cntlm as the sytem wide HTTP proxy by adding the following line to
Many applications have their own proxy settings though; some of them even ignore the system wide
http_proxy. For instance, sudo resets most environment variables including
http_proxy (to keep it, use
sudo -E). So you have to check the documentation of the programs you need concerning their proxy settings. For example, to use the cntlm proxy in aptitude/apt add the following line to
If some program does not respect the system wide HTTP proxy and has no proxy settings of its own, you can still route it through the cntlm proxy using a tool like proxychains: Install the proxychains package and put the following line into
~/.proxychains (maybe you would like to have a look at some additional configuration options in
/etc/proxychains as well):
http localhost 3128
Then instead of invoking the program directly you prepend a call to proxychains:
proxychains programname [arguments]
For some further reading on cntlm you might like an article by Yorkim Parmentier.