Skip to main content
Home  › ... Technotes
SuperUser Account
/ Categories: Linux

Linux: Using CNTLM to authenticate to a proxy server

Background

In the datacentre environment, direct web access to the Internet is sometimes blocked for security reasons. CNTLM enables transparent use of a proxy server that requires NTLM authentication. A typical usage scenario would be on a Linux server that requires Internet access and such access is only available via something like old Microsoft ISA or Forefront TMG servers. There are still penty of these relics about.

Download Location

All variants of CNTLM can be downloaded from cntlm.sourceforge.net. The version for use with Centos is a standard rpm file

Installation on Centos

As, in this scenario, you don’t have access to the Internet from your Linux server and therefore cannot use yum , you will have to install CNTLM just like you would any other rpm module so for the version 0.92.3 package the command line would be:

rpm -i cntlm-0.92.3-1.x86_64.rpm

You will need super user rights to install the package and it can be installed remotely (using Putty or similar) if required.

Configuration

After CNTLM has been installed, you can then edit the configuration file which is /etc/cntlm.conf. The first thing that you will need to do is add a username and domain specific to your network by changing the following lines:

Username proxyuser
Domain mydomain.local

This user account should be a normal user account with rights to access the Internet via the chosen proxy server. Unless the proxy server uses plain text authentication – unlikely and inadvisable – remove the Password entry from the configuration file. You can also set the listener port (default is 3128) by changing the line

Listen 3128

Then you can add a proxy server address (172.16.75.7, for example) and port (8081, for example) by changing the line to match the proxy server and port used on your network, for example:

Proxy 172.16.75.7:8081

Now an NTLM V2 password hash can be generated. At the command line, type

cntlm –H -c /etc/cntlm.conf

You will be prompted to enter the password for the account specified in the /etc/cntlm.conf file. The password hash will then be displayed and can be copied intocntlm.conf file. If you are using an ISA or Forefront TMG server, you will need the NTLMv2 hash. The generated password hash is unique to the username and password combination. The relevant line in the cntlm.conf file should then read something like this:

PassNTLMv2 53045432614063EAFC1419BB55FBD8AF

That concludes the changes necessary to the cntlm.conf file so you can now save it and exit.

Starting CTNLM

You can start CNTLM with the following command:

cntlm -c /etc/cntlm.conf

This command can also be added to the server startup file (/etc/rc.d/rc.local) if required.

Using CNTLM with YUM

Now that you can access the Internet via your proxy server, all that is needed is to add an entry for the CNTLM proxy to the /etc/yum.conf file. You should remove any entry for proxyusername and proxypassword as you will instead be using the credentials specified in the /etc/cntlm.conf file. If you have used the default port for CNTLM then the line in /etc/yum.conf should read:

proxy=http://localhost:3128/

YUM can then connect to the Internet via the proxy server using the credentials provided in the CNTLM file.

Using CNTLM with the operating system

In System\Preferences\Network Proxy, you can add the entry for CNTLM:

Localhost 3128

Standard system applications such as yum will then use the CNTLM proxy credentials to access the Internet.

Previous Article HTTP Transparent Proxy using a Cisco ASA firewall and a Squid proxy server Part One
Next Article HTTP Transparent Proxy using a Cisco ASA firewall and a Squid proxy server Part Two
Print
22054 Rate this article:
5.0
Please login or register to post comments.